51dda95f62ee5a05883a8e4b4be3f7bf036c0221aec5ae7eb3df1dac7e12f0c1

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178a174aa178d3e2b61b7e77d19a0870N.exe
Size

45KB
MD5

178a174aa178d3e2b61b7e77d19a0870
SHA1

f4d436fd629c7eb793285db4f0b51fe4be256577
SHA256

51dda95f62ee5a05883a8e4b4be3f7bf036c0221aec5ae7eb3df1dac7e12f0c1
SHA512

cc374901aff660d0d6570c38ea92eafab8a46e5f1dd13d0e477118aa4979f7140d77d90093b074ed37100631dbe4d8d7dd9bd6130d41a98ee20fc56b96ed7ee0
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJwRJofJoinI5nIWfQfs:W7ZppApaJofJoiwP

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4618) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Google\Chrome\Application\debug.log.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\SmallLogoDev.png.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.tmp	178a174aa178d3e2b61b7e77d19a0870N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	178a174aa178d3e2b61b7e77d19a0870N.exe

C:\Users\Admin\AppData\Local\Temp\178a174aa178d3e2b61b7e77d19a0870N.exe
"C:\Users\Admin\AppData\Local\Temp\178a174aa178d3e2b61b7e77d19a0870N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-857544305-989156968-2929034274-1000\desktop.ini.tmp

Filesize
45KB

MD5
2d66a07c4e5417c5e02b6ecfd1b91610

SHA1
da84afa53d7f8c3dccdaf0969ef8d8709d821451

SHA256
ea3a3eadc76a3980d64032ef087740405f9732a9110893611c85eaf53d88981d

SHA512
5f15cb1d575a5506f016f202a5ec850576c908bb35e53db5214925717149d649e5424f3cdc91159b3705d90e771b04ef315ee9044dc355288c2e3dec19f20454

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
a5a0f46ab0a8110e5ee640a704cdab5c

SHA1
607cce4c09c76d757a9b57ea96c8ec41395a34d1

SHA256
9b3c53d6418d7c3a25d37f530310425b0ff12f44053f2f298bcc3fe0e585b76a

SHA512
f90817f00e060bc98fd668d33fd746422c0a301897d0a65f3e955103fce01d080e6ee099e88bb2f37145635c36c7cbbfdc47418b919f2b81ee7d8c695123cabe

Download Submit