6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676

Analysis

max time kernel
120s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
Size

44KB
MD5

d3417e51fc1799afb4224b4518aa2870
SHA1

98ee6f68ab942e06801458e134988beaa430763e
SHA256

6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676
SHA512

686fcb5e6a3700795b9407c92ff112d023229bfeb7c1d08fb69c9e182932b0ca7fe443e8a73fd20114dcf5dfb55a8e7e5952a3276435075a247e1410de4a3f2d
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpdj+KtaXi1xGtaXi1x6:W7ZppApBULcfpHLcfpBfSfu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe

C:\Users\Admin\AppData\Local\Temp\6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe
"C:\Users\Admin\AppData\Local\Temp\6be107ddaa42de8c191ee9cba0b352fed6e690ede2b6cc5a003af1a132add676N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
45KB

MD5
077aa240c07b38600c0fc5e6784bb0b3

SHA1
0259695da5ca0f285cea8d28b075876b001cd37b

SHA256
82e746c3bbb493f3f360aecf1805ea4d561445b3d0af9f40bfaa94daeac042fd

SHA512
cf556324326570c0d5c3ee980be1884af602339f3f2c6ddcfe10b713961a5a5b7e8779bb8ef60ec171e8d5eb5b6e31c8b89897f5ddea2e0615e064afdb4f52f4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
1b270a884ed4ef89560a29e476829d8c

SHA1
f82bde0a17feb7e73a9393601f3228d11f5817fc

SHA256
8be1f22253b40985f61ce7d4fac6ed27cd051f95f49ac516eced00c73fddd510

SHA512
8a46d7e510c6e27112e6323f7eb5d71e14012a77f6bafed8b52e4ba16f17bfe2e4d1f3c3f1efd2ffc6e5eeaae8adc30b5caaba03c244f0929509c9c3b9cffd1a

Download Submit