6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724d

Analysis

max time kernel
120s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
Size

40KB
MD5

867bfbad84db0042fed890269ef279f0
SHA1

6abf0aa48123c5f6010d2d120745ab781eed93ea
SHA256

6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724d
SHA512

b4703bce5c810c137bb47687f0573ebcdd1a107817bba325275d10678134316f34b5bd4a3e94515cbd98aeae3d8eaf533dbfb057a825db55fc98dcfa8c9b0515
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lsSG:W7ZhA7pApM21LOA1LOl6vSG

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4677) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe

C:\Users\Admin\AppData\Local\Temp\6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe
"C:\Users\Admin\AppData\Local\Temp\6d78521c08065bbd239a0b332690c6431c404198b3678cd25023004760ca724dN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
40KB

MD5
e669e58aa2f4014dd31e1deab2ab7a40

SHA1
6e63abec283a1d53f7f040daf9d540b4ee0ba80a

SHA256
54ea0b68157662d6c08adf89c5cb128ddeedaf962534e78c34341eebb6ccff0f

SHA512
90fb47cb9a11f29f212e56144733b3a08a3618d27acf144cecfee36143846fbda89e11c5f605e918408b6b5eca0cfe77924d3b862ab8ea251363c61a48a3342a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
e16da81ed492c92075892017d212a419

SHA1
3357b63642b70a04d23073f3e5d9921923af3d42

SHA256
4d81c13c60bd05271bfcd95ff74f6da09c7333ae7d6a451dd1d5505fc2c23118

SHA512
5c5ce3188e8ce14e586b48db6632aa9b5a0be50c2471b6890e8fc11e269aba45d93eed4dfba838a071532a9c6287fd6a31afedb40c81369552c1dff499979e1c

Download Submit