085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139a

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
Size

53KB
MD5

f6442c17d1f9ebf7934a841b2bd8be60
SHA1

1b0f542a8eaefdf6017dc04e5af9fc53db0bfc9f
SHA256

085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139a
SHA512

e62e786fb2205291450597e2992d11ce0956e67d343c16f97deffa4b0740978a6c82531acc2cd2fa89f04804e6694d9cf5bf185c31891e3c85b46fa0ca7e95eb
SSDEEP

1536:/7ZQpApF8HaKa4aKa8KP2awclvmxaKP2awclvmxk:9QWpfP2awclvmxrP2awclvmxk

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4677) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsFormsIntegration.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe

C:\Users\Admin\AppData\Local\Temp\085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe
"C:\Users\Admin\AppData\Local\Temp\085bc997f8e7a7b465cfde85f524f9bceebd2bc54c4d94910626a82dbc91139aN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
53KB

MD5
9f718a8cd7c6045d8d18d79a5b51da16

SHA1
5ebce90430a2e9194718b75e2de4112311840206

SHA256
523502879229b10577acbee931a6e61ee5ffdc88766be16b8d099d9f3868dae3

SHA512
6138f4afaab09599452474caf56e52a0ce7123ce7533998eb6bd18ac677a5b930015415123579f2525a07e7e4cf8b3010a4e3da70cb451502464ae549cd5828a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
98f0bc4a19f62b459aa58bb8bb0efb49

SHA1
93da195d922e70fa2dc295f016d3736da0af56c0

SHA256
e28871301e9c2b19070e44f5555cde1d3b5e9c4af477395b4f2e2b45f53ddf58

SHA512
ebc1471cadba590e625ef681ce61941be1584e6b72cfba62eb8859b2950b441a63d8caec51711f9471a5a5dfb8395e531d58689519289e206a6431f993a3451a

Download Submit
memory/1224-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1224-996-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download