Analysis
-
max time kernel
119s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 06:39
Behavioral task
behavioral1
Sample
979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
120 seconds
Behavioral task
behavioral2
Sample
979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
4 signatures
120 seconds
General
-
Target
979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe
-
Size
60KB
-
MD5
9549da2dd8cc918df58be60bdfee6b40
-
SHA1
d1120087e30801c98504b652fb4eea7c90818a6f
-
SHA256
979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0
-
SHA512
e5da49956eaf818fcb35c27f2ddb57c6391be2af26008edd561588dbd29c6386d18e89e67406f55b077a67ca2d0e6df83510c5b8c7c692b30cabba539393b687
-
SSDEEP
768:V7Blpf/FAK65euBT37CPKKQSjyJJcbQbf1Oti1JGBQOOiQJhATNydWK9WKF9ADJd:V7Zf/FAxTWoJJZENTNyoKIKM0rY
Score
9/10
Malware Config
Signatures
-
Renames multiple (4672) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/2380-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x000900000002345d-2.dat upx behavioral2/files/0x000f000000022902-6.dat upx behavioral2/memory/2380-1006-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\7-Zip\Lang\tt.txt.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\7-Zip\Lang\ne.txt.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\7-Zip\Lang\mk.txt.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\7-Zip\Lang\gl.txt.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe"C:\Users\Admin\AppData\Local\Temp\979242e9b6fedf3bb7c36b3d584e54384ab598c3d1e37f422941511d4a7f1dd0N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD52f41279b934e4ca32f5963e3ed776543
SHA11ee09b911f2685c87b8c0e1fe55604f241c3c079
SHA256260f9ac28a512bca6b5247666afaed64031db6f0379eb4b5c3f79beca072579a
SHA512089dce7ffc8c0829c3644a8521a4c9c66e47d0368a5d7e296b1c6ff2a5c380bf2d9c2741522f6d03f166a528ce052cc7a6175f70667f6d192eb401e0a160b0e4
-
Filesize
159KB
MD5c7df1d1a75b78669f915acf15617528e
SHA1ca1b0567348d4c6de1f0218ef67d09c83c882618
SHA2568a3e6d1a8e2bff53ae3d7d18bb0d7555da680a9711e5316f90797c56a4872a6a
SHA512b053492ea8c13c5e5b6848be89d3817f8714a6602030fd0d0c09ea8b20b8b077d7c99ca8c18a0d4b3da8c4232f6e2ad12f631d2625636dd71a67d36f655b3314