9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
Size

51KB
MD5

244499aec980e5349044c42772c5f550
SHA1

793b22fc575495aa9ac949b587f3d17f72c305d2
SHA256

9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4
SHA512

12c10b6fe314152b5e0f188ce44a7a1f8f279b03bd004a7f2e641d4198c63e04443372a45d1a670910e9d534937ae6c4b9409c5ab01ce5c99b17a20e84b441a6
SSDEEP

384:yBs7Br5xjL8AgA71FbhvBfepj3cfepj3KtLJr4S04SwZ8NIZ8NkVs:/7BlpQpARFbhq1KX1016fBVs

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4672) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe

C:\Users\Admin\AppData\Local\Temp\9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe
"C:\Users\Admin\AppData\Local\Temp\9d48b7bfaea3deceebb64535205e2e070aa507e969044ddb924a33c6c175f6b4N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
51KB

MD5
aafa9e0ed02e038c6a2b9be95fd15786

SHA1
b4d84aa6154b6c34c22c828ea019229196b6a0fa

SHA256
7edfd555c51c04b0adbd335ccc6ddd85d77c0dfc5604130b6af0f3d3b055c317

SHA512
9c6cdd93cbfc7906f4c90664399467ca877b4159dd2190388922e29b815957e2e36693bc39c91d87dcc5d6fde0c609db3b34acc7550aa4585ba544d3c6cc838b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
05e5b0cf6f6692bf1c2619f881073362

SHA1
4a5e38956fdf2ceb03b1d340fe37dc4899106498

SHA256
d96adb60d53c62fe64040190725977c5ea39ed4d5e5f375e67d5bb99fb8ea72a

SHA512
65acbe37eb3b48cf0ef158dda2878bff5995a3328bf2902457acb3aae83bfdfb251178fb31330ab326118b64b483fc8095826bf3dd788cb1cae8d33b924b0215

Download Submit
memory/5084-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5084-1012-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download