e13b59e6ef25540f978d4a2e499aafed4702cc4c3aebd7a968f32d4d809f0c31

Analysis

max time kernel
119s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
Size

53KB
MD5

1fdc5dd849430d7f56fe9c1cbf36dd50
SHA1

184f742bb1b2e4fdf228d4aad6c3b4391e40fc46
SHA256

e13b59e6ef25540f978d4a2e499aafed4702cc4c3aebd7a968f32d4d809f0c31
SHA512

77f8633d425230645c8c82914ebbd4161093eaa9d80c39f30db09889724da621db3ae559c425e053f60c12af432a1b426854a8dc8ed28eff459bdeed08162944
SSDEEP

768:W7BlpppARFbhwEnAAJ+AAJ9vcYNnVvcYNnfy7/d:W7ZppApwEk7n97nE

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4136) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\manifest.json.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fdc5dd849430d7f56fe9c1cbf36dd50N.exe

C:\Users\Admin\AppData\Local\Temp\1fdc5dd849430d7f56fe9c1cbf36dd50N.exe
"C:\Users\Admin\AppData\Local\Temp\1fdc5dd849430d7f56fe9c1cbf36dd50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini.tmp

Filesize
54KB

MD5
cc699b61a2756db8a5e67379ef2749ab

SHA1
748ef325de82b4225960478e2681c76918b9f700

SHA256
ed8ac4d4d11b2d92af953b7a0c8da7cb45d8a5dd7e37b3efd9851b35a6c8c326

SHA512
13e4f4076d94b3e4ee04bc3ff6fc2b69d6c7e3d21ffcab578ae517ebedb65ee361b2acdda66931d82d9583d4e4fd8a089650589f8e2b6a49bb5b46b0c62a497c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
fbfc59437cdfcaea7270926edb9e25d9

SHA1
53727e9f0f49435c6e1054f7ff34c924fe57f4c1

SHA256
cdf4123e7f7ec0af7395cc4d1b5cd5da1e062d9d738f772725f6048e37d00f80

SHA512
9f2c4d09c5227e1926f68b9a0a7d27a70cc2930f8fa39306e354d5db3a136e326ece7ec0ec9d920545ad9fcfc2618da00f396d26ed15cb20e8a1173e92bc8dad

Download Submit