Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe
Resource
win7-20240708-en
windows7-x64
3 signatures
120 seconds
Behavioral task
behavioral2
Sample
1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
120 seconds
General
-
Target
1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe
-
Size
120KB
-
MD5
639185765c27c3e4e2f3616d77d88530
-
SHA1
c46550a6f140e03ce88dbbad1768e9724c4f503a
-
SHA256
1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9
-
SHA512
b2257af152aa360553601a694c96e5d4576ed746387fbca86a60a35efbc7ff1d0e3cc5e2688d7153d5cfbf13585374e2ab9f8b62ece30d9290d3f8562ee13468
-
SSDEEP
3072:6e76BtEkoIAkeF0RNyreZ8PRmqIZq9awE0ctUiQF2vUHFe+0AkyyDfEmU0RFWW:Re/EUL
Score
9/10
Malware Config
Signatures
-
Renames multiple (4335) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\7-Zip\Lang\hr.txt.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\DebugConfirm.mht.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe File created C:\Program Files\LimitUnlock.vb.tmp 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe"C:\Users\Admin\AppData\Local\Temp\1110262ebf748ddd85ce59f493b9cf92a9568e6008bada55502cec44a10a1cd9N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD587c278f8280f368839bf74142b3fe553
SHA1bde9334fca119f90d282571da3f9c56c675526ac
SHA2561652f1cd6483d63d966f6372abe057f3a06f61648e7e4313af2313f7f513a1e2
SHA5123b99b399d5154ff5bbd3bc37f697c860864946c2bfd49e77fcc967d4b7e5e2905e5e2a6b6901e281ce55ed44729cccd9c9506ba9db2ffdcb0818181826989cd4
-
Filesize
219KB
MD54e987a78205bd86b968ecf67c33a120f
SHA15622853c4184a003ae1bbf8c6a065eaeb47f6255
SHA256a63f050c98937010798708d50d55bb863b44ec14e6f5683a120eb04a9dfa6de1
SHA51246c31b694a0d58e791b889b3fe5b47f2f7ac5ccac2b857b9fca3ccb50c25ea096e0f5a80c60c8f67eb64dc8bd703ce93ef5a914237fb76cb4b4df129cba75961