6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
Size

49KB
MD5

f5906834e9a7af5a734958a458f06670
SHA1

fed5c870fb6b4088ca575e208505e0606c77cf0d
SHA256

6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5
SHA512

cf0b6a2dbf671fb4382d8bd4cc895f859143a914bd2c97063a1a1f43645900dd5c24e649a9d3ea4e6bd0173b41d2bf697378197a0744f5cbdff0ce2189647ee1
SSDEEP

768:W7BlphA7dASbSjJJcbQbf1Oti1JGBQOOiQJhATBWvyBh85c5h:W7ZhA7dABJJZENTBWv36j

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4681) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe

C:\Users\Admin\AppData\Local\Temp\6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe
"C:\Users\Admin\AppData\Local\Temp\6486ce00279c21a21511cec48ecd3da96f794cccf31a46f739dc29696ffe8dc5N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
49KB

MD5
a13d0415844b47c2d19e7620884cd327

SHA1
baf3cef7b238b01a0bbaa7e877ca3a5de11ade97

SHA256
2abf9f6f217e9a015418b05e96dbd9e8434d9f94256b0e85ce95c9f6fa153751

SHA512
661d56ed0110312bfef5eba11ab9f5c59a2e4ce7af0f0153a9795dd5041fc9446af3e702f2e5c02733113b0e4ac362920a95f7cc72c824b46b15696b3c951a03

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
11ff572e71bd70127e72dfab41aa5939

SHA1
5f5d6df7cc75018f7eaccbe120f5e605ae1b7be8

SHA256
d18d6ed0028d2db2ae25a20b0a34bf43838f333b8f9ebb7c1d70ae325b04e59d

SHA512
9d69b5e04a318d1099988686755a6bbf1f03a3e1223da10862a6de82e8590118d26aa7fa62e56874dae30436fe6b756855ac185ebf6403fd85831e720e0bd3ab

Download Submit