9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
Size

6.1MB
MD5

729ac7abf9103e3e41ef6f04be3cf270
SHA1

6886e09cb681975d9a0020d31cb0a224b009b8f7
SHA256

9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3
SHA512

42eb1ebdf0f96d34e38875d68cc0810d09b087fdc4857e4566167c6f8e7d84b32bc06a143b63673da809a0c43a9df4176bae0c2c733aba73db180101f05b6f9a
SSDEEP

98304:cQKrgDhNYesxS8jRPGKGjeZnbanHoIbDDIYNv+E1LbRiq57nki7+:YGUesxJj6eYn3+ERbRiqBb+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe

C:\Users\Admin\AppData\Local\Temp\9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
"C:\Users\Admin\AppData\Local\Temp\9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
6.1MB

MD5
002ffb095a0864983321868bfd127d17

SHA1
c6ec57683ea4a75e54281bed57a0d2cb22ceda8d

SHA256
2d35e0ab885e7f4623258979235d658d79fbbd15c3daf4bdbec18b9230abdf2c

SHA512
d5e3cef435b085658b34304f9e6e9a9029f0531a787dcff6026a730f96afa63830bd2ed58b828f5c9b8eff83821000f012d7f3672196502b6be5cceb8f0c0a58

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
6.1MB

MD5
fac2ae3847a11443ae92ed28305f703a

SHA1
9c6fa0252954dc25d3c73d71946b93ac32830121

SHA256
d14c78a5196b79ce51754b88b0d59b28141949b827d670f51d3ef2ce68e6c8e8

SHA512
6a0da03b46d181d4bac16201e131117e5db6e2fbaca4980afb7acbce4c162bb2c6a0f12b45f2f6c862cc048cff22621c4cc22e4bf324f2d22917596555f9b263

Download Submit