8258440aca5b4f6ce780cf6ba0a525f483a1b50c25a7179c8837a2433734ec99

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82e993225f94b73cd67afb12b372e5a0N.exe
Size

81KB
MD5

82e993225f94b73cd67afb12b372e5a0
SHA1

8eb068a286da6299a8ca3dd7091f439006098268
SHA256

8258440aca5b4f6ce780cf6ba0a525f483a1b50c25a7179c8837a2433734ec99
SHA512

6d53d09d0da7782f2631c6590da6b0a00899fbc4d2924bc1bc8268579e5092128ee307bfc4f33c2d68cc7e450114fa3aa75d4dc43b23ae1a5d8d687035a9fd1c
SSDEEP

1536:/7ZQpApze+eJfFpsJOfFpsJeFrxFrZY0Ql:9QWpze+eJfFpsJOfFpsJ0rDra

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3686) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp	82e993225f94b73cd67afb12b372e5a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	82e993225f94b73cd67afb12b372e5a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82e993225f94b73cd67afb12b372e5a0N.exe

C:\Users\Admin\AppData\Local\Temp\82e993225f94b73cd67afb12b372e5a0N.exe
"C:\Users\Admin\AppData\Local\Temp\82e993225f94b73cd67afb12b372e5a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini.tmp

Filesize
82KB

MD5
4ee0374388e4581d8e25d48556de711c

SHA1
4d61a4efc80f8e0c4bbeb40ba1667b53c5e68285

SHA256
421f9be12bbab97359342c506f98a3622460feba1a49e83310930f34060f1845

SHA512
bf86389d58ba21e20bc39821456f5854d9c607c3e6cdb9d064ef5cc68a83153610ab002351b47553ba2ee6fc5e61f56d0d3adfb06e74722d60eb47b51cb7b61d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
180KB

MD5
6c984e5b65e0c5a7ca26571dff50d9a8

SHA1
a32c863bac32cc22b498b69c14c63d45cdfdc1b6

SHA256
e401aaa8dd60555d03081df5d3e5d364b132d33a3e41d36902a4c08cccf1e5d5

SHA512
4e571562db5ad3f906376668715bc168124a3e08e641f230d9b14eb5ea01c38c45bc758837d58ea626d8047d635f349fc30189b13ee9abf9d5182d01e289ab76

Download Submit
memory/5052-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5052-1584-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download