b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aad

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
Size

40KB
MD5

197f16c8b0fdf2ea547af799b02c5920
SHA1

878106bffc1d5877018c5922d1b8872dbcd2a8f9
SHA256

b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aad
SHA512

d6151f19d44f90fd5ffabf9e80d8e6fea8f4ac7a86f5681624a88ac629fb41dce2bed6085f6eec6ca3bb5b39a19f7180c634929a0ebb215794f3ca2adedf775a
SSDEEP

384:GBt7Br5xjLfAgA71FbhvtPcHfUp37fUp30W2mhzwxW2mhzwc:W7BlpDpARFbhcS37S30WHhwxWHhwc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4665) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEV.DLL.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe

C:\Users\Admin\AppData\Local\Temp\b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe
"C:\Users\Admin\AppData\Local\Temp\b9d8c99a822a943fadb055b21309615f5302dfcdc11fdca2fe09334c48253aadN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
40KB

MD5
e8023d763bd0258d898537671aa6add4

SHA1
962b977300bea0e28f7007f185021e474db84d7f

SHA256
317de113f9292a92a58ad31f368295cd6360bba9e26c9ae9fda6d669edb6fef6

SHA512
da53fbb6ad9694e10fb5c24e2ae3d6150ec11ce8e836c3d6bc5aa21adc4f00ee1583a9e30813a052aa1f86e3bced69388a4872b8433feea70eeaeea47fbe8bdd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
b7c00caecdb311d1557632a21406be13

SHA1
33cec2fac8d1aa43a33ef8ace707fa9b6d2d5bde

SHA256
18a359c406a86422d9f43ac9eb410c18fa31dbed850d7765225d60980da7d6c3

SHA512
af66470a8d67c522e5a0dd430e5630e5ebeab4c69e1a109ad67cfcc257fe14eb8969afb949e5ca6d04ffa01e9852ce61b0f3fd16dae6ada7d4840fe066a150f4

Download Submit