94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3f

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 08:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
Size

43KB
MD5

7ab8edf805c021a283508d5061fe4ba0
SHA1

ac267ef8eb3c8d40d0a303ecdcdc6778c33a8d7e
SHA256

94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3f
SHA512

878685dacd7a1506b12a862718b97bbb238cc484f5dfb835a64348fdbc6e3b15d7752f166f9fe87e0795cb431485bcc87f5ad1dcda4139cb1d972128d2431e7e
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFZPsFhiXFhiKJKGJKF:W7ZppApBULcfpHLcfpyDZPQqDJKGJKF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4662) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe

C:\Users\Admin\AppData\Local\Temp\94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe
"C:\Users\Admin\AppData\Local\Temp\94a71825c6916bbde6d24e50a024f29f23b1a125302c2add3c231470dae8af3fN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
44KB

MD5
9be3fed8abf9d1ca265700c9b561ea3e

SHA1
2a913016fc840ce10959894ab7b7d6b148f34794

SHA256
5cc54e404cf19ae212010aad2cf0043833eca5c19593640b01e30424627160af

SHA512
11e3ea2b18eeaa835956a75b906654c5e94034fbebdfb2bd3b0fe79729aec5a09f06efd53fcc684d2cab7bf2e806c490f52bf45bfe88e858c7909ad1b1a53568

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
e08abcd497829d27d3bb92e72bb2d5ca

SHA1
1b5301e64c0131ee16149c249b8273203de6ef53

SHA256
c3a9a0c24fc89a56e5568cb0d5e3d1adcf6b6c29c7ba1ae886e4190af1658047

SHA512
505206b69aa8adf8ba9810dd335426b139de919362705f51771025b31ec7f9830b4fb5b3945a01582892f2e426163fc96bf3e8afd7b6cef8d68cec75a0ccfa0b

Download Submit