093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 13:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
Size

81KB
MD5

009bcb4adab3c1a9e74553f181268710
SHA1

eedaf007c61ef5aa196601467d3e975495a91228
SHA256

093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2
SHA512

ce5706ae18668678337a4a206c5d7a7986d3be9c15816d9b245191f9b602f51a0f337d0500c387baba8fa03519d2874978a9d0557d5e49320744723796979f3d
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+ejy0Wjy0WzYN:6e7WpMaxeb0CYJ97lEYNR73e+eGGS

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4377) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll.tmp	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe

C:\Users\Admin\AppData\Local\Temp\093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe
"C:\Users\Admin\AppData\Local\Temp\093e1278b4faaf5b4fb2fd3485a0bc466359c42cccce849414b78f0a57ebe4f2N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
81KB

MD5
899f4ac623ea45965fa1f3ae45225503

SHA1
b31ef3f7579eff5d39ef0e564898aec9593b45fb

SHA256
7183ffacae6001a1c4f108799d53598a51c87f877c3c95bc7c9085520bcd0c8f

SHA512
dcfba2fbfcfca4b794124a09eac46ef5efd05bcdfe02a68fa614415edfdd9c96a5a04de20ef1e84d6ac6611a3415df7b273a86f27db8a9b4ab487ec53b9d52b0

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
193KB

MD5
ad55220bad1cd5ef34c417c6e46cbd14

SHA1
c9e1f60e3d27cba5af55e3fbb38d5ff674ee1c5d

SHA256
b9661f3b87bf95e1674515ce0eee0cafa1d7c4ef87d40dacb3fbf760bb91949a

SHA512
a2a58b6df2f6efc0193b58acaa089499da21d4e7d61e346ee0d9fdc46a708cb384ddaff865fca2c29d18caf18e54cbb0eb7b1166f5ebf63cda27dd6227776fe1

Download Submit