f4202f737c2b7b0b912ad829fc35955511451c80b4a44471b72bb155fd7a9c65

Analysis

max time kernel
119s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 03:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

868c4742d91898a68262bd495e0377e0N.exe
Size

58KB
MD5

868c4742d91898a68262bd495e0377e0
SHA1

2ebab7bb299891fa179733676431773d7691f125
SHA256

f4202f737c2b7b0b912ad829fc35955511451c80b4a44471b72bb155fd7a9c65
SHA512

6365216d1b8334469e2a40ae1c801f4c382150158bc2f48421af29d25346ca6028378bfc46a8ceb95fb020521c0b091b95dfa867e38c04cf7bff4e5420b6e86e
SSDEEP

1536:p7ZhA7dAp1++PJHJXA/OsIZfzc3/Q89Q5:Te76WQSol

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2529) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_200_percent.pak.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\de.pak.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\currency.data.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	868c4742d91898a68262bd495e0377e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	868c4742d91898a68262bd495e0377e0N.exe

C:\Users\Admin\AppData\Local\Temp\868c4742d91898a68262bd495e0377e0N.exe
"C:\Users\Admin\AppData\Local\Temp\868c4742d91898a68262bd495e0377e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini.tmp

Filesize
58KB

MD5
c0a987c484952bd6932482df724d0378

SHA1
a18d5fed218e36f5f5afcfa8e78e870fe0c8f99d

SHA256
57ed059dc5e90e2d25e08daec7cb4b85a0ecc535ea949e0f698852f0604ab30f

SHA512
73a79af14f626202a13ca49a163516524119dc2ec86fd8aa7adfaf9ff2926178c6e35affd8c6b94da3d9b72d8a9bdef879deb0270e75bb675ecee95199913024

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
157KB

MD5
3c52b3bdfdc2946448deb36bc5254867

SHA1
4905c3cbc94d07c1ce1c4a4d9190476b5231f7c8

SHA256
466132e2863b2427567b61872b81e14e51d16c0a8b183aaca165f9ee0319c3c8

SHA512
731ddec94742bc0cc34659daabec24ecb6993f27eb0d7d7535e1c1ec240adf6031d86f0a05725fe6c581a4a9cfe2f62d21c31e1a669db637c043859b4b5f1c5d

Download Submit