9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
Size

6.1MB
MD5

729ac7abf9103e3e41ef6f04be3cf270
SHA1

6886e09cb681975d9a0020d31cb0a224b009b8f7
SHA256

9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3
SHA512

42eb1ebdf0f96d34e38875d68cc0810d09b087fdc4857e4566167c6f8e7d84b32bc06a143b63673da809a0c43a9df4176bae0c2c733aba73db180101f05b6f9a
SSDEEP

98304:cQKrgDhNYesxS8jRPGKGjeZnbanHoIbDDIYNv+E1LbRiq57nki7+:YGUesxJj6eYn3+ERbRiqBb+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe

C:\Users\Admin\AppData\Local\Temp\9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe
"C:\Users\Admin\AppData\Local\Temp\9f4c89e66a4eaa5ad785b50ae304933b3701f2ee7497c83eb8e7039f5c06a4e3N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
6.1MB

MD5
8c68a816631885451624276de904d4ae

SHA1
77fcf780336bab28fdf95eb55ee99de5c8f2eda6

SHA256
0158d229f3cedb46661b65a84c4fb9e6116fdf324f7e3e369b6c546734958b25

SHA512
96b80e8f9d8c4ca3f575c1364e60d12c62152eda3c238ffe46a8930b6a6a311d07d803496466e6b42a8ff280eb9dfabe8c40ba5b8b6a1b30389ced7256f4fe27

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
6.2MB

MD5
a5014d4c41511b285e0b232c62da0c93

SHA1
3fd5b29aa2b8774be4c20c47ffc2ffbb4a4b340c

SHA256
1060ec92a230e0c5666ce5b7ddc207c7c87bd599e93e90856a41c0047c8e3c6a

SHA512
ae5b5a65c64e16f7e85f92f096ff1bd1cbe435b875977a5c448ac714d4c9ee8463c1987c30683d6772845452609336a29ed3e622b6d477a830e778f419bdfa06

Download Submit