b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
Size

40KB
MD5

ef3cc198c1e5329654d999184ccea2f0
SHA1

0f77d38735f45620967569198ee666e46668a028
SHA256

b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940
SHA512

06753defe50f1ff33516b4029240fac280e05ed37718208063156d549117439050f92f017e13b86329fd0b0480dfe00afd438e0bcc5dce826c7773830c6a6054
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lFF/MF/6:W7ZhA7pApM21LOA1LOl6M2i

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\EditShow.edrwx.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe

C:\Users\Admin\AppData\Local\Temp\b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe
"C:\Users\Admin\AppData\Local\Temp\b09840ea431e90ec969249c0c936e4c695a6b30f3dc563d4b0b2375fd412f940N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
40KB

MD5
7770f1f009f17de872f9fa1e249b52fa

SHA1
5d22585e7ce152c8dc5fd54c9b38c0511107fd25

SHA256
807334804a3a23f0df19638b5301db6710762d1e76fb2d20552ce69a64c3ed79

SHA512
2503e5131f23ca38abdd1115f0d22acc2eb72a25e507e0039d8e9b04040cb5133744f7f1d5ddbbac10615f9e963bb22f90628931120545fd94a33c36debabe42

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
f677be90f4b55061a9e3b31f40de62ea

SHA1
ff0799a573a6f064165eedfc21b197cf2dab21b1

SHA256
cd4acf75a735d55e942618f984c649fae0a1c958a7d4bb1f50a19b4a9656ce49

SHA512
c8c3fdb743e61c4fd89228afde86eff8fd733cbfef807a1951a09b0276ad644b7a7ddbd8989776d56df0cc3262aa4447e88b778615a38604a19b9c3ac8eef330

Download Submit