497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2c

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
Size

47KB
MD5

ee810c2d14e67bea1bea5c319a683640
SHA1

0ff7f0ec625af1c46139cc0203166dec03a62673
SHA256

497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2c
SHA512

b46f058747304fd485644e11fca4cae0638d58fac09bfdb0c763869df410880f9861f2ad83ddf4524d88cca3c84defe52bf2d2d758caabd45625aac9efdeff50
SSDEEP

384:GBt7Br5xjLdbAAgA71FbhvU8g0U0fL+8t8YwTZ+kZsAZsZ:W7Blp+pARFbhBgnKL+8t8NZC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe

C:\Users\Admin\AppData\Local\Temp\497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe
"C:\Users\Admin\AppData\Local\Temp\497ea416cc84806b8ecbe1e8221c7789df8ac1757b9fd3a35d5f5a264354ed2cN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
47KB

MD5
396bbc30023642896125f635ca4dd5a2

SHA1
3e54be8b6b6c9d7b781febaf5d147715de6b28fe

SHA256
3898d87c840865d5054284b92f7e444e368d34fc7f5ac99c1927b59691d69a49

SHA512
aea1f52a1b366d0f9d85f16f0511815b4ab052c2f2c75b321ffd1e8566705c99d0a3f02a438bfe6f38be996869149acb93e7e4f69d36d58ae4340f0745831a4b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
226423d0a4fa8d20aa894b98256381a3

SHA1
8c9d0df08277b569fa7c2f82c5c692f9c9bfc5b8

SHA256
02498c9f5cf3180454e2553e15940329bd96ee7ed33195cc7850231e42edb1bd

SHA512
e31ee8463c1b60ff728e878dd9e8cc2eb6675ad1ea3bae08ccfc7a25e38a2724331ab6c0c7de896a363eb52fb376e8ad3e466d6da0ed046ff181251f6edb33ce

Download Submit