460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
Size

74KB
MD5

1aafd1ec810061b0486188f308434850
SHA1

bfafa56347bcf9b47036adcefeaddce4ae5eab2e
SHA256

460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8
SHA512

1cc21f786844d25f452dd1bcd4bc2656215b0968edf7d8c6d735ceadf4bca6750be27596f96d6fe56e95c15a01f6369a8fcb67ae20ef61115e3691aa843e647f
SSDEEP

1536:W7ZhA7dAZ1++PJHJXA/OsIZfzc3/Q8zxY5eYl:6e76mQSox5t

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4646) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe

C:\Users\Admin\AppData\Local\Temp\460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe
"C:\Users\Admin\AppData\Local\Temp\460e9ea3f647b37f25b75d4fad8c9a09e64de48af23d878f11bea0603d456de8N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
74KB

MD5
24e1d82a774e2e3f699cbfc6ea57ec7f

SHA1
08292b321d9fab78e2104f6d94162d0a2dada0b5

SHA256
9c42e4452aedcb24fbc481deceed8de051458c66613d63fa9db22772eb5823f4

SHA512
785017d888b5e284499683e78053aac65cbf8f1b467bd130c6db677eb055cf0ad4262428f24b2105b989f03bd57c8d6c781ef1cf7b3264ece3ef1c857bc70c73

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
b592f3b62b37e8faed61a0b51cc27cce

SHA1
32ba4a44c1c96449b488a4c3c8ae1eccb121728f

SHA256
2e27bba3b4a67038bbd55def61626706ab83eca173d4b7e2f59119dab2a1d05c

SHA512
7c03178127076f2e0160117a65138e3bdbb1c053a76c0cc438ea41c4e49ededbb33c32faeeadf10dbd6d0ab2b1ed02d94c0b4f27bd079f96deddf1b91fdf9f29

Download Submit