136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4c

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
Size

35KB
MD5

aeb0e9f6601ac0de3f72723f7073ca60
SHA1

63b95e409c41505fe5bcd30b58b2aceefda45f9b
SHA256

136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4c
SHA512

262d63ad94791de0a87df7e03e2c4b8465194cbf3fe697c6746f716c0a671d09880d9cb44c3829f20ce6bb4a59c42b639a9397c83519cf67ff3e3d134bccbf62
SSDEEP

384:GBt7Br5xjLfAgA71FbhvtPcniDvE10vE1ReM:W7BlpDpARFbhH3qeM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4534) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\CloseRequest.wmf.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe

C:\Users\Admin\AppData\Local\Temp\136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe
"C:\Users\Admin\AppData\Local\Temp\136a7700abbcce8c68912fe63727afd7002ff5b071252e008946fe577fce6b4cN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3848,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
35KB

MD5
5e30ee76e6d8d8688044173f2b6e0a98

SHA1
072651549d539f01d4346ef19769b602f1f7a60f

SHA256
b36ce5c8ed978af1789497775ab02e551ef9ab209bbf011d756236a65471b5c4

SHA512
6ea4e1e766cfa425bf15bb8dfa51c926aa3a765afa03792132b06fde16aba5192d4ff2b00e38b204f88a574db747fde91f695386000fc9f4079a69ff32cdce79

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
147KB

MD5
3fdfbf2059920fafaa3978cc05105876

SHA1
7d3daadc1e2d6b550a7422cd3949211c9a55f2a0

SHA256
c20b6ef9ff0d8ef5e595c1d574b3dbcac707c5b4d7a631e9b74b4675bc4ebbd9

SHA512
9a8d72903a5f2a00228c5c73281f7c2961d01058b1cfe594bc07e3aa3ed35f404a70e6bfde54f97a55b3707b7c7d7231793f587998a52a36afb9d672de1aae15

Download Submit