40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
Size

41KB
MD5

de1d6540340d73ca3dd2cdf5c5da87bd
SHA1

072dee09e547d761f4212ac615dc6c847e79926b
SHA256

40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb
SHA512

7a6ef530e1d2d335e887ea0c1e8baab4c933c78a69de58ba1f7508a1ebd9168f70a58bc7791628083581edf7f73d8d49d065ad4539207e4d6e222a2ab266846d
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhvo42L5FgAytBpR42L5FgAytBpy6Hc6HzK:W7BlpppARFbhjbhg42LcfpR42LcfpybH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5157) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SEQCHK10.DLL.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe

C:\Users\Admin\AppData\Local\Temp\40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe
"C:\Users\Admin\AppData\Local\Temp\40fed519c1a8f266a3b247ac0a4bd77b75e7dc3571e7337a21825962b2976ceb.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1266786182-1874524688-71015548-1000\desktop.ini.tmp

Filesize
41KB

MD5
5b8f400f45e7ee62f23d196ef9917137

SHA1
7e910dc234f7417ab78dd88672ed10ccab04521b

SHA256
b198f8c19b9f3745d238a0046ef01136b44e92be6d3d10207210af19e349b977

SHA512
9afa9df924453f9353eb229af256fc268e855c3ffa879818bd1fa2cb4b16ba2a3d84a38c1d3f39d3661831fba68ce09a33c4ef868eac64c5fa75d6fbc20c6919

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
f9b2297578130412e3d1f5eff37fd11c

SHA1
cebc9c746fb50ca61589d87b8041452f671854cf

SHA256
006f36abfc7bd65285c722885ea01b3de6a594a5150550d600cdb49c97a936b5

SHA512
ca53f765bbd2eed4fcac14f6b50914435106cb090d5ea22c284951f0fc6d03a0966d3f60674cbd1240f9bc3adcd62df6dc2802c3309cb2ab77192eb52b75f998

Download Submit