92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0a

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
Size

89KB
MD5

e7770076f30c93d7b599dc2b795b7590
SHA1

0f0d05ab2056c569c0f2fef8e8dc203b31861601
SHA256

92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0a
SHA512

cc4095581cf1a6e1fe13c99a291930de67523d213ce9dc40b607ab56b8ca0d0b841f284b1cfd68c11268c3300aad831ffa2f2b1bea2250a533eaad26a8a1585c
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhO:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsb

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4365) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\AssertDisconnect.vssx.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe

C:\Users\Admin\AppData\Local\Temp\92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
"C:\Users\Admin\AppData\Local\Temp\92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4236,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8
1⤵
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
89KB

MD5
12a68178a6e4b7a9ef52687a6f004628

SHA1
083a68a933b4d31d96eb154068b124eb97d73202

SHA256
e0fec9058f812ab411c5febf6b770b36bc10c44d923df14ab9aaac7541afd7a9

SHA512
085ed3bc29202919fd9d1f070d0605d546155b258f474d2e422759993f029cf2b64b7918623ef9e487f7fca39a4b4870d2c780d06fd0ca951252ab48203b4d4d

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
202KB

MD5
54b86bce7b3968ccc2d08eb47bfafe05

SHA1
f4c71cbb95702ae20a4aa393f553058f09843bf1

SHA256
4aeac065801cb91fa6d91ad6920e0db82d1cb29ad77c275ae5c123b354778bda

SHA512
3b8bced9f9dfd6e1044da64598256babb5263dcba7ba47b1f5d316fd790a983de59e2681381870af24eef670ee1d39d7265cf7ba10846f873683d5a25f009273

Download Submit