568d810164964e9f3de78a7d878fc2956cadc5c6d0e805e62800926b676bdefc

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65df4cbd888200e9c9e6503db99a98b0N.exe
Size

32KB
MD5

65df4cbd888200e9c9e6503db99a98b0
SHA1

c27553884931d81e6f4ec68995d71793bf9381d6
SHA256

568d810164964e9f3de78a7d878fc2956cadc5c6d0e805e62800926b676bdefc
SHA512

912fd5aee26c94c5bbc2ca58678ff2aeccfe7b3710c3c78930093624783508104e39828b3f7be8d2129c3d47d8313d9aff6be05811d41e4db1abb7fa8943a89d
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxjD:yBs7Br5xjL8AgA71Fbhv/FD

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4217) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\vk_swiftshader_icd.json.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\CloseGrant.ico.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	65df4cbd888200e9c9e6503db99a98b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65df4cbd888200e9c9e6503db99a98b0N.exe

C:\Users\Admin\AppData\Local\Temp\65df4cbd888200e9c9e6503db99a98b0N.exe
"C:\Users\Admin\AppData\Local\Temp\65df4cbd888200e9c9e6503db99a98b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-384068567-2943195810-3631207890-1000\desktop.ini.tmp

Filesize
33KB

MD5
a56255ac8d39209de35e2c1178e07488

SHA1
62926069b2bee5505b30b760f514b983a4409a7d

SHA256
11110f3f7d8bb119136e7f23d66312fd0b1b8003c129260724ab93b7921c34e3

SHA512
051aaa15ad097eaeee8b6bf97ad9c7ccf077028b6a7578be63da6ed2200a91c09cec0f2a7956d34057167af9a846486b3f2151af0f5654c1621962c5da96ff8c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
131KB

MD5
846836adf2631b4d777886206c72ad13

SHA1
7eecb502765478f9e07efc410ddf2af305744720

SHA256
15d8407d818de31f8796524c171c84a8f5374b2f42d82a433469055696b960bf

SHA512
298c95146ceac4ad70e421a44c41722d319b1adfec9f92564b8e93b1df5d95398e904bb027ac1c5824622bd79ca6623e5fb1ebfc06526b1369102aecdd075843

Download Submit
memory/1344-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1344-1778-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download