1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbce

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
Size

48KB
MD5

c96009fc4e5015b0d7824861a2b9c640
SHA1

8a2b3fa9ef32bb9d4c78c1ac58432b004a173b1e
SHA256

1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbce
SHA512

f68e81946fed99e21af51fd55b162130912105e03743a76c7a97658971c64b20a4e328380071202ca57621bf34be1f4b9f96c1dcd007f7320d7692e6e4e973dc
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1itvtBj9:W7ZppApBULcfpHLcfpSo3fstvtn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe

C:\Users\Admin\AppData\Local\Temp\1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe
"C:\Users\Admin\AppData\Local\Temp\1b9ff849f23ac8b17cb197071251c9519bc6306b3d6c4d1ca7848cf7c80ebbceN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

Filesize
48KB

MD5
a9272aeea26343862341f89d5f428798

SHA1
72212a86fe7242e40c5375ed78a9a8b1e92d1bce

SHA256
046b15f5f0cbca4a2a8b61760d51483a5fef3c5c17f076d5c13d0f22337daa26

SHA512
fafed929a0b541a30a9842010a577eed6741d56330d8b83ca2e9a95d8e93765a88e2632a2ad402958bde48beddd7e77bc58c576b34009977fde7a3f7591d48ce

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
4f56f8fd08ae581e4d6cc8554735e5ab

SHA1
bdb7d110805010ab54a6912937e38948c531faa6

SHA256
a0ee3f97073847360d40b14c3fa0e93cdf52644ca93301552ad929cfa96282c6

SHA512
53ebd0fd01885debce18825883fa66d757e077efd1fb325724b35273cdd8ac8e93662e7aab49a1bd05307badf482873d8626c8fba3db30172cba22e2f0e0324f

Download Submit