68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
Size

80KB
MD5

e1795997bfcee5c61ef9af8e383b25b0
SHA1

dc46f0760e6c0efe2e450a4328af85e0ffbef952
SHA256

68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043
SHA512

34b1167baf71f418601aad320fd309113c1dc0c2bbcea55502e81f4948eed2ef3c94cf84061b4765e913bb38072469d31ad65965aebc5d770a119e897dc92eac
SSDEEP

768:/7BlpQpARFbhIYJIJDYJIJPfFpsJcFfFpsJcC+3mC+3meDAfABJ6fABJwEXBYMsV:/7ZQpApze+eJfFpsJOfFpsJ5DecO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL.tmp	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe

C:\Users\Admin\AppData\Local\Temp\68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe
"C:\Users\Admin\AppData\Local\Temp\68f83ada2d1a3dc479fce02323b167fd6d92f7822e40c7b837300852c3778043N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
80KB

MD5
85c3036150d0f6032fa0832586d9a0cf

SHA1
0d7ce70b51e8d761ec23ee69bf26dac4c8c48b5b

SHA256
01a737f703e11fc6da0bf059650b3851f627bde85e9fe28d6a0cb4e705f6143a

SHA512
54b5b373fd19f6aa3db3b74e458cdd058327f54ec139cfd3844727da5adf7babe35a053b1d8ada87c5d08d9b8840aefaf387b2b7069d166359a74630378e89a0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
179KB

MD5
d65bb9171fa3731b825d972f9579564d

SHA1
a4e0612ff7a171875f540f1158c65acdfeb6b942

SHA256
a335f83be56b1d7b44cb2db1719d8121a0f96012bd4f30aaac5d6f4478f28a1b

SHA512
80c727d0c454b628fe8428efe4e6b42b0ea2709a719b5da928c943830ee24932543795a2d82bdb9350222ff11bc22b7d697575df41cf68f21d7226c4cfad25fc

Download Submit
memory/4152-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4152-874-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download