553aa45044cfa5dfabb21e8a13d43ab9702451aadfd5c1c503b9df170d418830

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 20:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d09853799573262a5607802d7c9c570N.exe
Size

44KB
MD5

4d09853799573262a5607802d7c9c570
SHA1

c04bf8bedc9e6202486130f705473c68da1f5024
SHA256

553aa45044cfa5dfabb21e8a13d43ab9702451aadfd5c1c503b9df170d418830
SHA512

aefb7ea44f0e70eb52ba8ce51f3c13d2b214d303e3c235b15c5ecbd281dd84b6443d9c28d2fc44c6a9dd59ab601691dccb08289de95a1d11f7dffafc3571ae18
SSDEEP

768:/7BlpQpARFbhn54fmiy+3BVr54fmiy+3BVq/a:/7ZQpApmi/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\LICENSE.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\LICENSE.txt.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome.exe.sig.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\dxcompiler.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\vk_swiftshader_icd.json.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\af.pak.tmp	4d09853799573262a5607802d7c9c570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	4d09853799573262a5607802d7c9c570N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d09853799573262a5607802d7c9c570N.exe

C:\Users\Admin\AppData\Local\Temp\4d09853799573262a5607802d7c9c570N.exe
"C:\Users\Admin\AppData\Local\Temp\4d09853799573262a5607802d7c9c570N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp

Filesize
44KB

MD5
91117cc01ff4976fbffaa86a86816f32

SHA1
0cba8a3810eac31bf377740968bac71b2e0ee5d8

SHA256
b55fa9bb8d629391e6087f61d6c6956a6b3be3efcefa898347a40f992cd5cf8a

SHA512
6207730087eb1437bc483fea9e4bb52248c35c089b8dbf8417fc5461aa2726d4220b930b4b6faf1c58e63d11aa527822a8b5043da3e88858d3327d1afddf8ce9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
4b768e228e3f6171dd37136364b588fb

SHA1
f33e1e928f2b4c31e0df2875f05c19c2f9320b56

SHA256
8afcfb1ac6785a920723c86ac3cc4717425420b3c2321a75b7228ac2488e950a

SHA512
7de0e40c51f0269ffc6b456f11690802c422d0d24cd9524a74b2f4f8dcf339f38d15e3c8e3bcd95a009bee26bc9c1ec74b159f43f1d5fd4825ff857c0b09a21c

Download Submit
memory/4964-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4964-1430-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download