99ef342a44936bfbc9473e18fea3337b50557816abcdb65de41fe481047c0c0c

Analysis

max time kernel
120s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54abf07ae9936161f65ae05234382be0N.exe
Size

38KB
MD5

54abf07ae9936161f65ae05234382be0
SHA1

8f73ed77be42ebaa409cf00dd8fb6855f0831a16
SHA256

99ef342a44936bfbc9473e18fea3337b50557816abcdb65de41fe481047c0c0c
SHA512

20c231371cd485e42947b71c4dd034974960f57f18f2f3ca50c46aa4bace4368bc144db07abbc8f0b693a0f2bd3610b08651d5b500984dc352d8d3e547a1c883
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFcdyGdyo:W7ZppApBULcfpHLcfpyDcdyGdyo

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4448) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationTypes.resources.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	54abf07ae9936161f65ae05234382be0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54abf07ae9936161f65ae05234382be0N.exe

C:\Users\Admin\AppData\Local\Temp\54abf07ae9936161f65ae05234382be0N.exe
"C:\Users\Admin\AppData\Local\Temp\54abf07ae9936161f65ae05234382be0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini.tmp

Filesize
39KB

MD5
86d89ff39d1b1b2f65553f0f86f9487a

SHA1
64cd17647e641cbb6dcf06c9161c4a776827cf8e

SHA256
b73367a17d10180c2198bc90456f4b14b04d818e2da9fe721bc499e4d617b110

SHA512
68a7eb2154650cbf95b08e5d242bdf700e870d180d13287538f52329258c013334c1ce89b4ed337f4ba533c831abd83bff4daa5d56566ebc3b613df10cda115a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
edbb07aaa74e33107bb79c33cc5ec81e

SHA1
0bce006caa5c568f4b2452d489e3b95bf8fcb0b4

SHA256
05058e910bd6510b73eac9d31b0f9b3c68d694d79da38a5c1f164bd7f94a52f8

SHA512
fbdc8369c82390c21eade9a4d23d9451aabca34577cd993053c4660dc062765f5ff37ed9b56fd38188f7e05c30135b754ae40a16f2a7b4012e81a9add657be6c

Download Submit