937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 00:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
Size

53KB
MD5

bc1396bf9240031e347b98b6c1e753af
SHA1

589149f665306ae15ede98f266a3b85e4b7c7630
SHA256

937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed
SHA512

ab78e852324f60e27b2d7280014b36f7948beae90e570dee6f9ef29753ec632d69228b862169b844349ed496176c4ae93ee02772f4f20d158dae3ea66c4c7d3b
SSDEEP

1536:W7ZhA7pApM21LOA1LOl6Aj8Tu8T1Rxew2wXDB:6e7WpMgLOiLOAew2wV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5269) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUR.TTF.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FRSCRIPT.TTF.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.tree.dat.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-timezone-l1-1-0.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.boot.tree.dat.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\ConvertToEnable.TTS.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\d3dcompiler_47.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe

C:\Users\Admin\AppData\Local\Temp\937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe
"C:\Users\Admin\AppData\Local\Temp\937a56411ecbb844364f59562f5ba119975ec313ba32a4db69091d0d66c77eed.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
53KB

MD5
2c907dd3604aeb05aef652eca4eb4f26

SHA1
93cb762721eac0228f1f335c8aff6bea64fc1318

SHA256
17e34b47db6041e911f16c75b9b604fdce127d95f91555f39618b8da07d62c71

SHA512
c8015e4684c36319481e8c963f2298b2085c5ec551a7a1de471793b781d98a88e1501348614a682016da45fad95b28e3705dfb15500cb637031ef4810d7c773d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
7c370aa6f4193664f2b4741d6e3d4df6

SHA1
dff51eaed91162834fc04d22a3311d78cb70a500

SHA256
3b259d2a0f6f44f8a723d0a3b494c7a375e0b9991543ba187c905168295b0d03

SHA512
3a0f090b8ac7b2b6349d70e416401bf2df8e8846269033f1a2abe27ce866a96642ed9ab63b38b0030272ba7c317866399956c6d23f789f17248b4db39edf15f1

Download Submit