9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
Size

50KB
MD5

d13dcfa3acfa13b2e066a5bb973b4b3b
SHA1

5358883a387a140ead0702a09c395cfb90562b46
SHA256

9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44
SHA512

fd873714eb0f55b79b535710bc21466364a0823d9c202ebab576b40d41753fc404c6cddcaebd3981b79b68e76fde26d533084747d33d9362e7a1ba3d4931aaf8
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFew/DbAGw/DbAu:W7ZppApBULcfpHLcfpyDoAu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe

C:\Users\Admin\AppData\Local\Temp\9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe
"C:\Users\Admin\AppData\Local\Temp\9b8260959a9b5ba39a831174b24098c4ecca8b017987ff527660f032bac17d44.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
50KB

MD5
40b90e2359e026160218a750504f281b

SHA1
7c03458803f8ede0f5751059fb7b66a96f852e11

SHA256
a85d5d926b01d1a8bae989f9ee2d8f9e0d1d0c80eb2eb46e4c89a1edea3bc3c5

SHA512
52b1ef8aebeac6e975839a633ad5dc5f6c3b874a39d423770eaad4a9d02b8f8089a799682b49cbc61552143b42ff743605d99354836ab9d32439db9fa9c6aa7a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
9fe3770454cb3b329a330d7c9ffbe884

SHA1
f300f8af32a7f0993971af013c1c34d433fbcc41

SHA256
e23d4f7d98495eb2f1ad4dedcd3fad5c66fed6c3d865ad528ab69ce9ab166463

SHA512
a38f30d3a87773eb8cf1868baf03896a7ec571165becf0b5761a4c84695e5032e8a039b9bbefc39195e4d59e77b6daf991a59373a510dee9ab04a8f37e69a877

Download Submit