29b4c5e81ac9e87d5197a1c7b182447c1b58b54861d3295d06a9498aa58e5255

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0643227992fd60411400fca2f7f5bd50N.exe
Size

42KB
MD5

0643227992fd60411400fca2f7f5bd50
SHA1

db7b616f78681b6a2fdffe1525ca8c5c1bd37a38
SHA256

29b4c5e81ac9e87d5197a1c7b182447c1b58b54861d3295d06a9498aa58e5255
SHA512

9411b7aa5e81c2ee39a464a3673e8c5014f0e7c3e7c1160a7176386c4aebb50d7a483b5171b992be1856d3166f96b1c3afddefa6750221914bcb3fd0d59d8c07
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpT4wWklr:W7ZppApBULcfpHLcfp5WQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4357) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\da.pak.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_200_percent.pak.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.tmp	0643227992fd60411400fca2f7f5bd50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0643227992fd60411400fca2f7f5bd50N.exe

C:\Users\Admin\AppData\Local\Temp\0643227992fd60411400fca2f7f5bd50N.exe
"C:\Users\Admin\AppData\Local\Temp\0643227992fd60411400fca2f7f5bd50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini.tmp

Filesize
42KB

MD5
33511cff8796cfc8f2a1c48dcecc19f3

SHA1
f16427b814b7489a02ce6eac84162379eb158ecf

SHA256
a33eea79cce942529cef2e78b338b11d21d1a99134ca147272f1f10ff66520fa

SHA512
48f0da0cbc2f2f6e6020e6228464041235070a7d0d7275b2c38f870a957abbd79f893f683ddcf5027da536d8157b56a05c20aaff33fa62879cfba8927cbab151

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
f8e214424a5c4b5c5a266378c8009238

SHA1
4d441a3ba1f2995917e6e2e471fbb4ac818f503b

SHA256
0933f87046e1eacda836db4ce5c2cd1dade51f1b82ef1087404f2babf8e8cc75

SHA512
be1569d60bdf643f851d1d2aae466f989e975c11cda732bf0a117c2f5f576a68f70c911e40cb0aba227c24b0b6c6164fd10215846ec6385a9c3db2a9200c054f

Download Submit