d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
Size

37KB
MD5

efe40048dba28af6fec0a3266ca37590
SHA1

9c905864462ccb73444b5ab2d20c5d6c68f6dcf3
SHA256

d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8
SHA512

2db0601af81949636e259b601f9da11bc025a6687d42ce0a31fc6c6d7790c843cd1ca676b5fd69b7ab80e463215bdd4f3f07c4a472e6d849ec6a3cc939f3a9b7
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5ltWqAhJ1qAhJE:W7ZhA7pApM21LOA1LOl6Ar

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7en.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe

C:\Users\Admin\AppData\Local\Temp\d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe
"C:\Users\Admin\AppData\Local\Temp\d4c9a90fd48f71887318ce00b289f0929c4cf24231f215ce03987079550abac8N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:8
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
37KB

MD5
6b4321d841961b139874d12813e10338

SHA1
6e3bcc20e18c539b8c557b3dd61a035abb17cbe4

SHA256
590b379119dc2cb1a124d39b3d3995a6e5cca3575fb30a7e98e9d4598086c534

SHA512
d4ff6cfdd6b43e7205db31c3ca744063046638817dee44c325c3d3c6d41d2e5e7cfa70b00bcab355a1140a20b9c9ea3e29734c98e2c2162e425f4f72881ec04a

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
150KB

MD5
bb5c138fca5e86bb3bc0767554891fe0

SHA1
b8d8617f38f31fe55bb863ed5f01932a0458bf13

SHA256
420309ae601e97ffdc3fa7f399f0e5329ae62b22e42f80baa864ba6664dc158a

SHA512
9fd74d0d427e9641ee130255ff085f2a1871685faebb2d1150981a2941d996bf37c09d2c8d546eefbbc198cb403cb1597f283d07d442655fd1dfadfd7c5e779f

Download Submit