b6bed7e8dced1374399cf4ffc14729fac4ea2fafa536e683335fab2e9d5ab273

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8237abddc56c9e81680c1466e3c7fc00N.exe
Size

47KB
MD5

8237abddc56c9e81680c1466e3c7fc00
SHA1

f416b598554e2011a7e89c33f05dded27136b105
SHA256

b6bed7e8dced1374399cf4ffc14729fac4ea2fafa536e683335fab2e9d5ab273
SHA512

0be3bb45f252eafda6706ad85223e323c31051111e56ad4586c7f6aec8c8aa200a0d2b4aca65d7cde60043bd4f21bafda42a6193b389f966fc7622f5381a6686
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBNKVkVYlIAItCJzyKbNzzyKbNlpsg:W7BlpppARFbhFAxCJWK9WK79

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4639) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\dxil.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\InstallComplete.vbe.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp	8237abddc56c9e81680c1466e3c7fc00N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8237abddc56c9e81680c1466e3c7fc00N.exe

C:\Users\Admin\AppData\Local\Temp\8237abddc56c9e81680c1466e3c7fc00N.exe
"C:\Users\Admin\AppData\Local\Temp\8237abddc56c9e81680c1466e3c7fc00N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp

Filesize
47KB

MD5
98ce85ccee2d039cf67f23b73602c28f

SHA1
ce1ad4fda56b36282f8d7a3a6a0dc0d8058e5422

SHA256
d6051edce9ea0e953a5ce9f426ae24e60c80e0c6a6dd73e6659fe8be3320c8ea

SHA512
be68a3ab6f5ddeb1085e81c68151cb95b0a369f0b919372c1931cd2f00e7d750513bc895e9c161bfef44e70eba3e23878103029495916fcdab37c85f6a7237ab

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
c6b5113f0c41da126c9a59b4218bf1b9

SHA1
88014736394f1501c42aaf4a08eef88cc8f3bda6

SHA256
6964528ed4279e154a7e5529bbc652173d3e3dd43f9737e3bfb9cd438b6a2865

SHA512
a7194b32697e87a805d31494290decd1f1e1a27f1c0f7ba0f51610c44630fc038b9594d6040f92f40ed267dee291e9d3cda72d27df4539ead911db91ea5cf909

Download Submit