cb52e8b8a9e48a35a4e5ae60aa840471503ba41723d8db0cae48c530cf46e037

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 04:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

479b85b07e4bad1fe1c2bd7773fffdb0N.exe
Size

56KB
MD5

479b85b07e4bad1fe1c2bd7773fffdb0
SHA1

c630ba833dede0fcd07402c56d350c45059e7a07
SHA256

cb52e8b8a9e48a35a4e5ae60aa840471503ba41723d8db0cae48c530cf46e037
SHA512

f36a539c6609b2bfc2b9fcc72d6cf8e5e043bf09f36f7a2f89144ae12df06bccd93bc9d9f7f8f8ffedcff2d3938f7548503dec92c3f25e482fd1303024523294
SSDEEP

768:W7BlpNLpARFbhblkYlkuvIYFWcDYcDlvcYNnVvcYq:W7ZNLpApCZuvIYYoYoN7n9M

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4327) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Resources.Extensions.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	479b85b07e4bad1fe1c2bd7773fffdb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	479b85b07e4bad1fe1c2bd7773fffdb0N.exe

C:\Users\Admin\AppData\Local\Temp\479b85b07e4bad1fe1c2bd7773fffdb0N.exe
"C:\Users\Admin\AppData\Local\Temp\479b85b07e4bad1fe1c2bd7773fffdb0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini.tmp

Filesize
56KB

MD5
9a5935e2cc02aaca597ef8f2ff20e1a0

SHA1
85066223bfe591bd777ab642fb88fc02395dba62

SHA256
5e9d5086bf290c1453d1ef8f705144b7e71d983a836b8e44443d85f6d9c20bf0

SHA512
a28de7b370070b25dbf73cb93bf9debe388f6f832037510b8880f02899645eb71d5bd997b1131ed1a005d297005e8d9bf2b108094faaa7dc979dbfac9da1c99f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
762130221560efd29659d61d98e96bfa

SHA1
c43290260d8157e57d68204ddbeda568f4e045f5

SHA256
0b2e01da5641d26f2c30d46e9166d33ce6e88263fc2290c651dfe49a4a3338f8

SHA512
07d8a69eb2f985b82f7b58b188c5867c8c1cfbe8ff330b5bf3ddffcacaabdd7022f3cdebe8c488872973b38a2f6ab7c40a770f5146eb6c8bd4437126ea08a7b7

Download Submit