Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 23:39
Behavioral task
behavioral1
Sample
896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
-
Size
53KB
-
MD5
7c02198bc23d5a6cfad5fb52c64ea272
-
SHA1
725a8e85ee0bdaab0aae847354e2ad7c0b1f52b0
-
SHA256
896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f
-
SHA512
36f5a8648d1e7e76e513a339795519faccc5d0cd125d476e08b9d41efb599af4c7a5a37923c6be1641c14164644cd67ad27a65aa7ea0729cb158f00eb03bc171
-
SSDEEP
768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcI9Ro+QOViJfo+QOViJY8u:V7Zf/FAxTWoJJ7TPUr8u
Score
9/10
Malware Config
Signatures
-
Renames multiple (5192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/3876-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x00090000000233ed-2.dat upx behavioral2/files/0x000c0000000220a6-6.dat upx behavioral2/memory/3876-958-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Google\Chrome\Application\initial_preferences.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe"C:\Users\Admin\AppData\Local\Temp\896d9e12f68faffba95c92e5da80899b94b2d2d766aabdc34126878a861f458f.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD506c7eea16fab781fcfff2d7ad3283ab7
SHA182fcdf5ee2e91a2db7f8c1d6818b62bdf3c9303e
SHA2564ef1e68f9bf926c8a7bf42d26e5b9bebacf4f3015a1206a66661f087e99f0f0a
SHA5120b566448252395b7cbd6bcc6e10cf4405f55743bd79ec185adc6f1fc4615870302abe1e6ac90be490e2f9e9206fe8648ba80110fcd884a89d6a0efdc36716c14
-
Filesize
152KB
MD536e9cc3db3a136c291ce5c95908d2b50
SHA1f5f725fbbcdbede55c50a6c4fc40be6272af0ca0
SHA256e7d177f4cc01c8a749d3a955aaf78fbcc69390f232791bf2bf5fbe03cd6bcd8e
SHA5128f79c2d166082bc2318a3f78345156d6df16684a126241fa7725f465a7522684669223d938bf11e74e17172d890f9812368ce6f1693f9713b38c86cc3a05cfb2