59c7311c4bb76ee16fb95c81da26adb478704932d750e569fc7d9dd6208c9c8d

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

030caddfa32b5df6ca6482419dd0da30N.exe
Size

87KB
MD5

030caddfa32b5df6ca6482419dd0da30
SHA1

b9caaa1bb69df7f3e25769a888a7cc0be468ab47
SHA256

59c7311c4bb76ee16fb95c81da26adb478704932d750e569fc7d9dd6208c9c8d
SHA512

2017f7aa27dba09c65f335c53fa1aac40b8f1855ce07acf647d204d2137800bcddb552fbeffd021411343631478116b7236ad377d0883b9085fe31806bb00ee4
SSDEEP

768:W7BlpDpARFbhYQkQjjIXYvPXzWPXzK3733uF4V7en5c5HChCrmhyEXBwzEXBw8/L:W7ZDpApYbWjIoPyPoLzV7c6ShF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\sk.pak.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.tmp	030caddfa32b5df6ca6482419dd0da30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	030caddfa32b5df6ca6482419dd0da30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	030caddfa32b5df6ca6482419dd0da30N.exe

C:\Users\Admin\AppData\Local\Temp\030caddfa32b5df6ca6482419dd0da30N.exe
"C:\Users\Admin\AppData\Local\Temp\030caddfa32b5df6ca6482419dd0da30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3881032017-2947584075-2120384563-1000\desktop.ini.tmp

Filesize
87KB

MD5
32b8a1ad5ab37a77655988fd88f32e73

SHA1
ac64f14738e46aee0f7cc9c8962a05ecdae2eccf

SHA256
674605ff5d31551c8c7a509de31692a0f63106b1620037a0b52ad8b1e58bb399

SHA512
70d21a4eff394f3c4a703b83dcdb1515f684583eb7f86c690d73845faf78c886ab50eb7976617c9887b56d78a64df2f1ad0e9f5a9c284b94ccf0c1e5cb5a3ef8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
186KB

MD5
d0d08fb742ee156b2147c51effe01788

SHA1
1a87748eeea60051301d7624adb0e60424c5be7d

SHA256
1781e6008ff069a62f26687faea466586106848ed313e88361e75eee32517eda

SHA512
a9ed1f3e86d726818317f90597b21289f6bc862b151f617f3b9bdf51576d6adffbd85368bfabd2380a5156da5b26c90036d463af28c1117334e80981fa27ff4e

Download Submit