0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 18:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
Size

36KB
MD5

e7adc8c3c881a5b494fbc8c250b2c5e0
SHA1

8f91532adcc6e72b20a1cb45e57789ca92e1222b
SHA256

0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7
SHA512

bf18640a0e7b8c8ea8a89a152e13abe9a7af94e00bcec49b42987ce218573e95d0964e83ae8451558aca781ec7eaae6b5f320267d49d4fff9b5ac655384fc24e
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHdGeqc4SUqUGeqc4SU8:yBs7Br5xjL8AgA71Fbhva4S04SH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4741) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\es-419.pak.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\id.pak.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\123.0.6312.106.manifest.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe

C:\Users\Admin\AppData\Local\Temp\0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe
"C:\Users\Admin\AppData\Local\Temp\0824da157df0c93ff874eec69e19402e1c72fc8e9fba0c78d6381d016ef61ec7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-384068567-2943195810-3631207890-1000\desktop.ini.tmp

Filesize
36KB

MD5
63eeab0996673a8f890096ac3fb49869

SHA1
ec13c72ff62bcb2849c455397ccf877bca979209

SHA256
626ae4c43976a334ecec1c996363fe78b4589054bb2db72b55ba514b53d35429

SHA512
ff64958749cd0f2e93dbe3a18730823d707f445042ae4aeaf6a8bff3fe0a0b510682b46bb067e49b05519608d411a7fa0d9813656088653bd175271ef562163c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
640147af4741d45ad6968c25d1d0655c

SHA1
02ff174ac03e2f53abebe4ff4ffc1bb0724f1d7b

SHA256
d0cbfa1eafe29737fdd5cbf9bef4ce8e027cf46c1f467d279372cc264e87a110

SHA512
8ae912681be61040c588467b4d5eb4f8e251672c24a0b0ce394be04cb9a4325440ed11234ce3fa327e5fa96acc7b71a0c2da073ef281633739cd66d18622a33e

Download Submit
memory/3496-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3496-1786-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download