b7ff21be8d70761ae7e051223096a9ffa426a19e733feba9ff5d3c7730c7e0c5

General

Target

7cc07ea6ace4a134f11dbd94f8fa7480N.exe
Size

43KB
MD5

7cc07ea6ace4a134f11dbd94f8fa7480
SHA1

30a950f8f8652fda2ce1e70c021d8579087b5f38
SHA256

b7ff21be8d70761ae7e051223096a9ffa426a19e733feba9ff5d3c7730c7e0c5
SHA512

1d1fc80b3a9ab28bbb58e58024d5b3ce35c4e82b35d012042b96f9aa93a7d4f1858fad2157aed4ce73db91ef4df6625727832267b4cc0a4da6d57e9b450e1640
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpT4bJyGx3hMIJyGx3hM4:W7ZppApBULcfpHLcfpEJyrIJyr4

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1997) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

7cc07ea6ace4a134f11dbd94f8fa7480N.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.AeroLite.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\uk.pak.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ur.pak.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	7cc07ea6ace4a134f11dbd94f8fa7480N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

7cc07ea6ace4a134f11dbd94f8fa7480N.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7cc07ea6ace4a134f11dbd94f8fa7480N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cc07ea6ace4a134f11dbd94f8fa7480N.exe

C:\Users\Admin\AppData\Local\Temp\7cc07ea6ace4a134f11dbd94f8fa7480N.exe
"C:\Users\Admin\AppData\Local\Temp\7cc07ea6ace4a134f11dbd94f8fa7480N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1403246978-718555486-3105247137-1000\desktop.ini.tmp

Filesize
43KB

MD5
b5266d6eeb5ea6766c76a90e3e7db40e

SHA1
c9603aad49409104db78492d82b599d1f600fdbc

SHA256
20f99a56e4048ca0ab89db02af568c1893c68219b4f21ed91479a5fb8bda022f

SHA512
cc67162cfee272243db0cc4fb4781ac0a31b40a74202818cb4f468e9c653b6aec59b4f7fbbfa59df993f680f58ebef24d7078feb55137b12dc3b3b0848435424

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
4878ada79ee8a17a75ffced8d383a8b1

SHA1
f88f0247a535b0cab87932491a6c67546f92ac57

SHA256
3845cb22ae5cab5475cbbe179a815b8b741ecf388b75a9a1a2f93ac3ae2e5d0d

SHA512
0a92d8f1d28a0627e57607a9f5a81d1e8c9e668b960595acb54dd22600da1756bc4011535847ef25a0cfb285fc13fde128f4b269ef0f0e935025373711bbe341

Download Submit

Analysis

Sharing