de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182

General

Target

de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
Size

34KB
MD5

388515e4def03ce109c6ae5ece322bdf
SHA1

0f7dcfc5899ba4c72cb7693ac5c053b7099d3562
SHA256

de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182
SHA512

8312e8bf887807b42467f9d555dddf1bd084db12a90ee082b7e6a0f619a1eea36d1e1e2a15c6d7ab4e9881a4e1a97b077318eb440f1753a351b913ac67310918
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxjc8P8+:yBs7Br5xjL8AgA71Fbhv/F1U+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2738) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\LogoBeta.png.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\zh-TW.pak.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\icudtl.dat.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe

C:\Users\Admin\AppData\Local\Temp\de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe
"C:\Users\Admin\AppData\Local\Temp\de286bb9632e157294b33cfc4e627b79fed41c8ab5d5ac82cba6b0e7fb290182.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini.tmp
Filesize
34KB

MD5
2eb65bfa3ac7c1b4e6bf044596f3f439

SHA1
180e4a091bdeff668525b5a45454af2eb183194d

SHA256
ef3c7f2c8bcf21bb4e88d7e6a7e1e0ffb748bfbf092d9368070243e871ea55e1

SHA512
f29c6ed6730176ee04d0fda26c912ddfe8340ff87dcfcbf38d55753adc4d393aa0ca29c8160357626a318589e12d2da058a28319fef0a016c030d9b805be2dcd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
133KB

MD5
1755de5dff5820f04ebe7143822c4578

SHA1
f0c7814a497d4f637158bbef3438898ce4ae0308

SHA256
ee36bff5c7ad0bc8de5732cd008322f384a3b1fbb25d074544eff084414d84ee

SHA512
f009b2a07380af450c6d92b12fe53fbc9781915ffb7a2db0559a00c26c982cf3a20a1322b856c0a604fb95aa8090cd9c60a76e6c9249d8c2903a14ce35767d93

Download Submit
memory/4908-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4908-1580-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing