Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 13:21
Behavioral task
behavioral1
Sample
b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe
Resource
win7-20241010-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe
-
Size
67KB
-
MD5
420e73253b010bbfd4a46517ced87100
-
SHA1
2739180d7a28dfa7c6c3fc4fcace42f31f6ff77e
-
SHA256
b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168
-
SHA512
42194901f336496cc402fce4a22b8945a70d061920a59d08995773753134f8d982051fa8c893cc64d2dc7a3e52eb0bf9871a69f04aed683403ee82f35a8edc6d
-
SSDEEP
768:V7Blpf/FAK65euBT37CPKKQSjyJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiJFEFuod6:V7Zf/FAxTWoJJ7TTQoQPyPhehyDbaDbr
Score
9/10
Malware Config
Signatures
-
Renames multiple (4773) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/2692-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x000a000000023c12-2.dat upx behavioral2/files/0x0014000000022905-6.dat upx behavioral2/memory/2692-660-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe"C:\Users\Admin\AppData\Local\Temp\b4d21649d94346f6e02bd35bdd1acdfb36d233878700e4284e2daf0ccc95f168N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD55be5f1e0215f580ba559064dd11e7532
SHA11ff98cc2ba076e7f61bafb214d1ff7ddad219fe3
SHA256214089136b1805b4e04cecfd4566f6ee0dfdae8e2fc795bc585591ae31998b53
SHA51239f92a94b47e633635b8ddad3d8d9e93370ce457e8b7e074e7fc15465855de63ccaecc37cceeeac09343526097ecf44a980b16a4ed7e97eb6180e0cb46316683
-
Filesize
166KB
MD55d26c6d73f48758db2e25e49165571ea
SHA108e6c9d801320e8e6af78b83a76d9a3f041f61a8
SHA256c64e31e0af212e75a62da2f0a272634129b26308bc0926cfe346958ab0c4a87d
SHA5128826d168a2072c96f7416fea98c985691c87dee4cbf3044e96414aa37fa1b5aea1c714b0b0f72ab047f40a1cde880e0f4658a4463f300fec8353592014eb3d22