9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
Size

47KB
MD5

75c825948d9868509c24bef0b829b0b0
SHA1

b98a8bb5d900ff1067d133e4dc48ab35016b5c34
SHA256

9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916
SHA512

b910471af0428256a280f427523b01fbaea35268cdb5c982a97baae575714db1d4a5671d7019325b003d4c2a4b502e346536b82f430e26530a9ef187336311ec
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F18jybCPi1x+jybCPi1xo:W7ZppApBULcfpHLcfpSo3fOBaqBa8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5301) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\xlsrvintl.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe

C:\Users\Admin\AppData\Local\Temp\9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe
"C:\Users\Admin\AppData\Local\Temp\9f42a5284df7e2e94110229950f333a92f0d8148995eaa14d7ef0fb501ef9916N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
47KB

MD5
e7a898cc8ce92cbaaac2c1005acd83ec

SHA1
d08610917620e12b9d743d706036fa623cb9ea5c

SHA256
56b3dd8aff648f1dd8685f13119de170cfa308ea5e728960c214587156867120

SHA512
64d10e4ae68b897aaa25c59788d23cc0faec3bb45815475a40028d317320f3a3aa2afd6f694567095d57ad90c91eee035fff469f6577dba259bfcffd0f729f50

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
d07c2ac4539e32d4747daf52ef6c260d

SHA1
52605d889e6f77ec36c47523099e1f895efdb34c

SHA256
1ddd5ab2c73cc3edc69390905d710c05d5fb5c842c76f7eb190b44a5712db2e0

SHA512
1c375b3ec131ee6a147a24c761038a00b70b5810d802fe20bdcabb731f696a0926b208e89f82195460a570ca6981b6508af1a69ce0b17a37e58e8ffac0be6f30

Download Submit