9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 22:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
Size

91KB
MD5

52fe60eb0d38a40a48514f92182e3e60
SHA1

6cc0d04f2a28013d3eb5409c5141e8e176f0f5f8
SHA256

9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300
SHA512

cd6e14ce5eb6ebd4083c250cff5e931d918b9880c3ce16168ebdd2f78bfddb3228376b17557426daa3027651450d00dbc99b62c03fbb7925deb73df0f10c3184
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhf:6pWpUFpEhLfyBtPf50FWkFpPDze/qFs+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe

C:\Users\Admin\AppData\Local\Temp\9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe
"C:\Users\Admin\AppData\Local\Temp\9a67a288034a645144cbceec969d4dae38a3907db787a3a6f1e7f4ddc7a0f300N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
91KB

MD5
d708fef198f749aac44a0c09e4232c49

SHA1
6d3335ca5bb41c0a646137e02c776b6fb08e5595

SHA256
95dbf7930737f13730d0bee10a504a6450935c9281851ca0204af4f6503ec112

SHA512
cbdde73bfe36d288045d7584656fd2bf2d73cde8ad7f4dac1fd6e6b47cabfda2268087c1f07b7c40f1c8f28a31981d0e2ab326adbf6fccb53413627148c0dd6b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
190KB

MD5
120c7d4052b83c06dba09700df55f94f

SHA1
a8c722d581ff84df4078680921c4288993a9a6ed

SHA256
271d556510933cd2ef5e1235da1164c0cb0eca8580c0bad4558afe9f32e89db2

SHA512
64530a8b82e95399f9dce2d005adc27044da2e72aff4068503bfe64e83c0410333aaa9b3f77279eb2434ba67cb2d5801b76b0a8e07257e4a1a2e07edfff0915a

Download Submit