6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1

Analysis

max time kernel
119s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
Size

54KB
MD5

01cb3c06f72f4b76823fd884cde12f60
SHA1

d899fd39ff612eb6d47405ce70c8a48e8fb147ef
SHA256

6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1
SHA512

8be60c4d508c19b7230d45c0a7a4f508eec1c534393ac2719f4ee1aff89477f21db235b2e52b9d2001634baf4ede75d26892bbbc0e9b6c8580cad9763a289ebb
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/Fzzwz72Jwuq2JwuR0U0Iap3gyaHq9nwK8gvgyaHq9nl:/7BlpQpARFbhNIiJwsJwwnZap9QKQ3lk

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4661) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationTypes.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe

C:\Users\Admin\AppData\Local\Temp\6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe
"C:\Users\Admin\AppData\Local\Temp\6ef920e7d61af443f91ea265466fb91243e04e46107707df2508b00f6abff2d1N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
54KB

MD5
4b430e8e5cead91d2e566e9325209951

SHA1
4c5e83f0e51b92c5ed88b999d33b3642f4aea6b5

SHA256
0f25d25e68510ed1bfdc1f0a4d812e0893c2e11d8e579f8e8b35b9d0ea47c6cd

SHA512
a83f12d1a0946fe0569b7c0ba73683cf08c9802d59f70e3a9d86c8438f871e5192b4cd0e04e562b13015b0f4f7f73d1bceef4b4cdf88f216cfd3375a95720eb3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
20c0a6d2dda64a26b3642c45735c47b5

SHA1
f39a3ffac0aa73cfa318557659739e8dbdc7a67f

SHA256
1e9e7b04c721b203f9cc20628b6b323121365968d93488fa6b03593edafe2d29

SHA512
208dac142475193b9bf691705ae8aa9f51eb0fbbc228456383149197e0ab8fabceca624ca2486b0aece715c4516dfe3e80f2e2ebaff23c44143252439496d1f0

Download Submit
memory/4976-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4976-978-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download