9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
Size

57KB
MD5

3dc8ad641068a174b45b33b803c037eb
SHA1

b0c49e113152586ba6b2659edd57e1360fb5b6f7
SHA256

9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9
SHA512

0fc8f928db6010350eeced8e526900b4b708f6043d5877a3df8103f157edb32129042e0b4fbb6bca614b98aa9819710ab534d688168a44a8ff6202fa20ef57ee
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/Fzzwz72Jwuq2JwuR0U0Iap3gyaHq9nwK8gvgyaHq9nX:/7BlpQpARFbhNIiJwsJwwnZap9QKQr/A

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5123) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.tree.dat.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Tec.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEV.DLL.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.boot.tree.dat.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONMAIN.DLL.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe

C:\Users\Admin\AppData\Local\Temp\9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe
"C:\Users\Admin\AppData\Local\Temp\9bae641995d628dcec30b1d22502309e1df24b4867459bccdfbe536f417cfac9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
57KB

MD5
b983d6cb9bc3fd978be911a06123c8d4

SHA1
a805fe64264cb230d522b4f5f2f85c55352f0a71

SHA256
9cf792c6d87a71d8bb717ab09af77d1bd354b5b8ae95b1b5c6e2aea748425c6a

SHA512
4fa49089ed79a1b0cd01d130c18cec2eb234fcd367d8855d468c3ff556426d73c0c832fbbd199c42d73a7f59f15392c14b4464a73ab367181cd94b7881c6f130

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
4ed7ab20ceedf9976359f3fd75b83c61

SHA1
49c08e396bfe371d4d9861c8dec31f5c07f917ac

SHA256
1727c1341c634d6fd317716fab30a8d9624bd70abea24205fc7cb25df1485980

SHA512
c657c0e52bec48b6688b3bd1f41276ee2a7844a91e8061087ae6ddbcf496256e6b9d2d6b80cffaa02ec8d3bdfa06c7ef90104266f6b7e307bd9d3f9960c492a1

Download Submit
memory/4508-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4508-910-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download