915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
Size

47KB
MD5

7df9cb950eb855f0329d9dd1be9a9c70
SHA1

7c4a6514d7d03f4a7a01003169c0e1b72a3354eb
SHA256

915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193
SHA512

593faa3e99da960c2643178bfd95cc3c799df52a5678e67f8450bfdb9e1b1237a1d13890bb6ee32c68071bc1fbca6e25527e3c4879d438c67a0bb45738d81285
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FYzyKbNzzyKbNUjZ2S8W8Hoz:/7BlpQpARFbhCWK9WKKj38W8Hoz

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe

C:\Users\Admin\AppData\Local\Temp\915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe
"C:\Users\Admin\AppData\Local\Temp\915143c5bf7711efcdb5ec4108a7f00b09f191a7c6becd6153a0aae954e3a193N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
47KB

MD5
44726dc8721a20b3ca8788f59487cca9

SHA1
9ef415bec08a0479245c35ed3a5272cc28ce9bf2

SHA256
2187e772bbe0c107f36a698fc41447aefffa79f0aa7c80ac059c7ffd4e767da4

SHA512
5c78c4ee4cd398b220f8b6cfd1dae4badace1cd44cb4e24f96e5487932ce221c924841e201cf6aa32726ae1f243299828063f169a89266064b24c8fcdef8b6ac

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
d124fbaa0c42f7ca1b908166e23ee9d9

SHA1
116785f5ec50befcd82f6e6dc08f327c8293813c

SHA256
387c4c252fc8496c447d10c64e3e2f0bc7699aec337248221eaced245822503d

SHA512
759e7abda26d17af6827b5715b39f9007c637a870922d5fba5de461d3169c83cf868efa25d231a6c6a4d07befc45e9667e59148f158e5424cc46ecf9aaeacaee

Download Submit
memory/2984-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2984-1002-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download