597cf1fe52e304d4f693a6daeaa958d234c0a6494b4cbd2c7274165b85c3a9a6

General

Target

7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
Size

54KB
MD5

7d1b6e714b59fa324fe8dfaa7c1b6fe0
SHA1

7cbaa57ed46fd5ec94879f1de79e7e1b41521651
SHA256

597cf1fe52e304d4f693a6daeaa958d234c0a6494b4cbd2c7274165b85c3a9a6
SHA512

3d1c7778046c7e78174663693efb1669349364eb23dfd7a1686a3f1633370fc56f7df7ad551a0d6024586cd5f8618270d2b3faec7442016fe62989d09b757d49
SSDEEP

768:W7BlpppARFbhwEnAAJ+AAJ9vcYNnVvcYNnfy7/gVyjVyS:W7ZppApwEk7n97n5VyjVyS

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1606) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\DismountDebug.mpeg.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.AeroLite.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe

C:\Users\Admin\AppData\Local\Temp\7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\7d1b6e714b59fa324fe8dfaa7c1b6fe0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini.tmp

Filesize
55KB

MD5
594a8c4b75fb21ee7e089553684740e3

SHA1
d8d0034d0c480c157eaf3f1bd1c36ad5701c1bd6

SHA256
bbfb180b080d03c6335ec281000b7c3a3101158fae4416889127932c080e7521

SHA512
0db72083c2f365e593c856e3e85eb87be18cf5fd8124172918ddd4ab349eb296a402f78ddd826c5b159f7a455959581ddfd5712810938efde08b880d7a7a0ee9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
d279db39929c6d3208d6fe3a9f70a63a

SHA1
b45d06e374816406e0d21a6d340b55a879cc2a36

SHA256
399df0f154857dd0086ad1107cacf59aa0ad0c716de05f39d4fa17b40c4a3536

SHA512
9561a29e434dfff5aaa4d45f170664bff4e956afc324c7efb5ccf1a5c27378ff6ac34ba674928b3e3e760e1581ddf54354ab0041714887bc3feaa963a2b8c64a

Download Submit

Analysis

Sharing