69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6ba

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
Size

40KB
MD5

5365420e627c95b6b83d4911bf312310
SHA1

3395d5d2b9c4d0241f57139ddb6ba61d92211af0
SHA256

69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6ba
SHA512

b180eb4288e74314e5c18b425f29eb06124bfbdee57845acbb49fc04647348324428ac64fa2b3e30eb023d29aa60bb83ad6343fe4f9a04208b03cf8cbd8b6207
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1j:W7ZppApBULcfpHLcfpSo3f9

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4680) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Extensions.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe

C:\Users\Admin\AppData\Local\Temp\69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe
"C:\Users\Admin\AppData\Local\Temp\69c6bd3e63fb080bc196e624f458b7d655c583d2f55e3af2c7533f8be392d6baN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
40KB

MD5
39dd03dc1defed9148094924ba826acb

SHA1
5ad229dca973f41d3b842747fb751c5b530743df

SHA256
3a1753b6ef7c6bb35fb860bde8b0addc4f951442ca57ea3d2c887ad30c91537b

SHA512
bdfd49ab7a52ee50f5b8fb6c27ca6f4e43f0633e20b1fd0b4cdcedc90f38572952aa11da3b48b518f72c064eff7f5738029b198e86f735531c91307fcc1ba258

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
1229334bc09d4636ed54b08180d8b48b

SHA1
6503075480958d06c47b0388bb9e8cba647c7281

SHA256
0b90cc31be41336a1472df04a7f6dabe87ccf8b3d200d978bc91020c53632309

SHA512
64cdbe7198e5daf9c20397efe7248fa7ca350517d474d435025a45dc2523bf59ec1c3c0ecd188e27f0c3123a7917a6338ee3b80ab2ac5ff373370f766acccf1b

Download Submit