079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 18:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
Size

45KB
MD5

db23bbe0c588d2771177452661de1b63
SHA1

a14263741054773f0b29de6f023eabf9afd89423
SHA256

079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a
SHA512

5a771e7616e0ebc2d2c15de074c847c13f5c7f13f5e29d79f6364ca41ef56f90c15de320cba4f6fa6bc40e633baf725a94f8d2e1a505681c2eaec5097e2cd608
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw1VyjVyLlvoxol:W7ZppApyVyjVyLlX

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4586) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\pt-PT.pak.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\DebugStop.snd.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe

C:\Users\Admin\AppData\Local\Temp\079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe
"C:\Users\Admin\AppData\Local\Temp\079afb8c3a759c5abb83e309bfb63f078c05941833e4059402c0f32f64dbb82a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1403246978-718555486-3105247137-1000\desktop.ini.tmp

Filesize
45KB

MD5
6cb314f97ca89b3993432ce656c300c8

SHA1
bc7409ebf35fa85b750894882249167609c08e6b

SHA256
6cf7e5ffd74b2805250aa6a598d0bde6c2e4f68825178145099008652e702b33

SHA512
5732bf44226344d2f70c549ba72ecd20f45bc3b73f1b98368412548e37599370dda8fcb11cbd36d02fa9ae1a322b23e495db1d33ce2d8f2175357f0cf09263ab

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
f2bc5b0437e50e14d68bee6d3bdda3ad

SHA1
293cd1cc0767bd0b923ee5e5d07df9c87afcaa0c

SHA256
60de71373131f3cb30587f4878aeda5c8289b5c2548ee363d67b261d65948bf9

SHA512
597c86ca0c0cd2256bb936708849647a3fc3295e3b761a1c4aaf2301548f835636372eed68161f89a217ec72e844b02cd929b3377053bf213e61e1b2660b3998

Download Submit