92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0a

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
Size

89KB
MD5

e7770076f30c93d7b599dc2b795b7590
SHA1

0f0d05ab2056c569c0f2fef8e8dc203b31861601
SHA256

92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0a
SHA512

cc4095581cf1a6e1fe13c99a291930de67523d213ce9dc40b607ab56b8ca0d0b841f284b1cfd68c11268c3300aad831ffa2f2b1bea2250a533eaad26a8a1585c
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhO:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsb

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\LimitRemove.mpg.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe

C:\Users\Admin\AppData\Local\Temp\92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe
"C:\Users\Admin\AppData\Local\Temp\92b2be2558024e1c81b6cd8cf16242d00684ef922da12e4cc569075a2e221b0aN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4300,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:5916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
89KB

MD5
4af38d6776c33c0b2c34ec62efb1a61f

SHA1
07bc95960331915df8681cf881d8ed05a3fd261d

SHA256
0759b4c0ffb8db715b720cc78c497d6b01adc9ee4529f948b86bfc279c718ae0

SHA512
6919ea1265b20abf0bc0fd0cfb7b7cb98f889ae7c810658d0792d88557152c4e0f95dc19bd42d6e843aa070119030d0824917970cb4c83c094c5a23c698717e5

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
202KB

MD5
3ef8d102bb757813d6f323d1b0e0e27b

SHA1
4b145d577044b50ce675af2f909670f18192dad5

SHA256
be49e89f5aa20650b3afc850abb99046124d6e9a4d9bc0a215a85ba6196db729

SHA512
17065e8d84d32137e8143d715639b88bd249b005fe32f0b96631e4282e385a1a59c11b5866c0bc976deb7fd597c231fcb29b998101403de8e72e35730f753efb

Download Submit