97791517add1b8f6e2518ba07d859bbf3f8d7c18bf073b0f83e1fe30a55bab7e

Analysis

max time kernel
120s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0785ae0f526e7027b82f251d5c50b980N.exe
Size

40KB
MD5

0785ae0f526e7027b82f251d5c50b980
SHA1

b29654e3b432f29abc4737a537b3115ac601d6fe
SHA256

97791517add1b8f6e2518ba07d859bbf3f8d7c18bf073b0f83e1fe30a55bab7e
SHA512

3d354cd1fe5a17f557638828b2bd65a6c0ba558e1d67fc5c0a207aaa41ea372cd6b67e4ecb4c82fdbdb0440751100e14b558cbf0bab79e31ca5277c763f82861
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBN1qmq4Gqmq4MAAAJOQAAAJOwjyjuTgAgV:W7BlpppARFbhwEnAAJ+AAJbjyjua

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	0785ae0f526e7027b82f251d5c50b980N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0785ae0f526e7027b82f251d5c50b980N.exe

C:\Users\Admin\AppData\Local\Temp\0785ae0f526e7027b82f251d5c50b980N.exe
"C:\Users\Admin\AppData\Local\Temp\0785ae0f526e7027b82f251d5c50b980N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-701583114-2636601053-947405450-1000\desktop.ini.tmp

Filesize
41KB

MD5
e1a4569ce935fac609fe10f2d515722e

SHA1
0989d7d04f881a316937954ffb0d497f8d7a68a6

SHA256
9400f66cf74023a41ab9cd2a0a0037216d7f202788eef3374891e0be0476d2b5

SHA512
f3c7fe02d9bca543be3731a917660aa29b4a6ba51c1d07adf745de1d75520a5f01a036d5beb52cde0dab6fc67183447f536900ba0ade7fd068e3efa58e0c6382

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
5b444d955d8a0677c3ef12d952aa22a0

SHA1
a08b0652ed49df03a97c3ee0bb0c3e0ce8907135

SHA256
c0db98c5c056eb0e46e2f21ea84bd098c74f8738051871c5b69587a7c23d652d

SHA512
8d0662e343b3fa91fb20dc6a5e017f585c9f88b137ed291b79fdd82acd5c3e4d3230d57be7435c2ba967fd6c0861513ccdcb5a97366aaf83b8e66863834c46f2

Download Submit