c45ac23089fa4f88d2725b10c3ce721d176ad284e62c1e88fd5eefa3e57551ba

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13f561d796f906fa613aa5f0b670f870N.exe
Size

38KB
MD5

13f561d796f906fa613aa5f0b670f870
SHA1

d89c5fb7d3b667c64a2d588c5293e4731f26f0b4
SHA256

c45ac23089fa4f88d2725b10c3ce721d176ad284e62c1e88fd5eefa3e57551ba
SHA512

38c9b13095751dbf712d0bbe64dc6a694ee27d74ff815aae588f2f3cfd5f6eb00afcd32361150f0e5d80ebfca4dfd15ab8ed26eb204b966de16094e25714546e
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/F40U0qAiAJOHAiAJO7:/7BlpQpARFbhSnwiAJxiAJ6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4037) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\am.pak.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jdk-1.8\LICENSE.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	13f561d796f906fa613aa5f0b670f870N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13f561d796f906fa613aa5f0b670f870N.exe

C:\Users\Admin\AppData\Local\Temp\13f561d796f906fa613aa5f0b670f870N.exe
"C:\Users\Admin\AppData\Local\Temp\13f561d796f906fa613aa5f0b670f870N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini.tmp

Filesize
38KB

MD5
07e127306af743ae4091913bc7092847

SHA1
69fb589babf90188cc9c6eb18c94b9ae16b39bed

SHA256
80197e9eea3d4673a3e56da197644a20097cc42c4dadb205c77837ecd214ad38

SHA512
98948c1eb90fa17bd3292e6ccffdc586543707bee0a2a0aefc93fad6573ae3316cabaa8445133bc01ec65d4c66d2f03ff5b1dd3447a0a72a5e5de30c3cfd9dee

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
e76ec943c6551144f4bd5105565dbced

SHA1
e531a33cd0a88e49e726aa59143ed38a416a30a6

SHA256
25953543e0917873caf0fcf335e87d10eb448d246242e330fbf8b5ea0c6b7433

SHA512
2bab6bd74e432e2d2a0bf30f16b220057404576239e16428c1ed5b8b4104af9ba56d69341ba8a152f72eef64af4dc4652acab8ac7514785958962f3cae2d8474

Download Submit
memory/3952-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3952-1670-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download