9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
Size

101KB
MD5

7fb22e3fb87f1073b325c4ceb206e0f0
SHA1

e8cdbc14ff5fbbd4c5ff2b273be972ecaf38ac54
SHA256

9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4
SHA512

566882d148d22f4da8ccbecf157b8f365e6cda35481efb5b7b9039de3792e8be3b4698516b2d09a3cae50ba97ec70d1d5fd399f61f1cf51fcc04d2671bc369ef
SSDEEP

1536:W7ZhA7dAynMdyGdy4AnA4QlcHgrC35rtLgnTVoA1:6e76ynpAi9InTV9

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\GetCheckpoint.rar.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe

C:\Users\Admin\AppData\Local\Temp\9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe
"C:\Users\Admin\AppData\Local\Temp\9733556e5f593b859e77ce1157ec28981180e2f333dabf92bdb3fc266a6077e4N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

Filesize
101KB

MD5
bf3e5ac17e155775802e11dae860da84

SHA1
9a1dbd7dcb7c46b2846846a74b11730534c9b00a

SHA256
03d3b247ab722529bf8037ef1ad0213b85addd04b2e3e0ec1a6092c933b39d6a

SHA512
d0580467f66ca909fad69baca403ab2ba61cc6d3e3b45e12d9116e0c52c0237fa21a66443a1208259d7717f8e87d4bbe2a3d22008e1e459184ee6979d745d754

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
200KB

MD5
ae387845e7119cfd9b1ccf8fba337f55

SHA1
c641666ece22b7000a07cc9edd79b0175642a83e

SHA256
9007c83576aac3968c4796d61211b38ed6a94984b1a8029c45263998f34f4ebe

SHA512
08b8d94ef3e6803be626150c22b89785ef3f2e8885dbde10e422903e34d1b33cc49df356bbf87725a67cc1e02dc67ac4ff35d705193772ca5103d2dec28b113b

Download Submit