20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23d

Resubmissions

21-09-2024 19:30

240921-x79sqsygmh 9

21-09-2024 19:28

240921-x6r7asygka 9

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
Size

40KB
MD5

33188469ff787de660fe7cc32a4873b0
SHA1

edb643055aeaebd04e6ad1ea29842c3667bd8a42
SHA256

20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23d
SHA512

2edae04259fd4f3c10505765eb4270fd119793a3a5fc333c546f80b0de349da9f359ff802b7e2dcf1ad424648ba696375ce7018fb6fefecfd3cf6bd461d6824f
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt342JQuY2JQuriZOrh+YPHXOrh+YPHt:W7Blp9pARFbhjJQWJQ+HwHt

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe

C:\Users\Admin\AppData\Local\Temp\20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe
"C:\Users\Admin\AppData\Local\Temp\20f09ed1de98fec7fedf5b4e5c16cfd933d4854457a9fd75f1df84d556f6e23dN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
40KB

MD5
5a324dd94903021bb17b072173b29715

SHA1
2164a87b6e857b748ab3f6c05eef3dd27763e1d8

SHA256
351dcad62bf7dce68062a33d7ad45ae2f676257435ab7be296e068ee535e79a4

SHA512
32281ed0c0a0c713ba3a557c28649b73356ba91c2fa26fbcb2c6ad0a26775bb177b3ba08520a33c021fe6bb83e22012b9a833fb02f081d251772be9c0c74adc5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
2dd953eaf11416c036abf9e3ae47b047

SHA1
ff87572f39757df809002b0d3e7f045a37c60e12

SHA256
c598ba22521cfc4586e09f45ab8ed9310ef8406a5af7bafdf1235c01df0e1bff

SHA512
29af51c80ea2d9cf384bcaf8bb4b381a9e8f000ceb7a17e9099053b9958c0357734c87ecacb9893a39c9935a4d7a6ff9bbc9b97aa15f830e961f07f205cdbe61

Download Submit