464ee1fa0691f103a92e68a329a1443269f5a32326b3f856b5451db80bed85fd

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45215285330c6edc6bcdb61c6107c620N.exe
Size

88KB
MD5

45215285330c6edc6bcdb61c6107c620
SHA1

c1e491ae54a9c1844928685c4026d7e57ea148ea
SHA256

464ee1fa0691f103a92e68a329a1443269f5a32326b3f856b5451db80bed85fd
SHA512

faf0aa904432085d322ccbac5c62f31485a91368fe2e585c1e2a9401ae6ca2c19100cd8b9d56e7ec88992579b46035f3890aaae3934f99ddf60b9b98c870da49
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhA:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsh

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4617) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_200_percent.pak.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\vi.pak.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\da.pak.tmp	45215285330c6edc6bcdb61c6107c620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	45215285330c6edc6bcdb61c6107c620N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45215285330c6edc6bcdb61c6107c620N.exe

C:\Users\Admin\AppData\Local\Temp\45215285330c6edc6bcdb61c6107c620N.exe
"C:\Users\Admin\AppData\Local\Temp\45215285330c6edc6bcdb61c6107c620N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3089151618-2647890268-2710988337-1000\desktop.ini.tmp

Filesize
88KB

MD5
e8eba1f26a798722d09d3a2a708010d0

SHA1
df6c2921489980637fbe2fb253f93061b80146a0

SHA256
eba1842c086833d4a3ff4fe9cdc5dc4f36ded1b7eed4087cc6066b84fbdda765

SHA512
a7fee1523b55b1056db1a9d1940a90fce7ba248ab61cc7dcc78443b9e82b1f2e18313bfec82d171d8fb04e9a842ff16ae0cf9de14934be6fcfca2f78ba19134a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
187KB

MD5
3412036a00cf7e8b5df5520fde7b8d79

SHA1
13c39182ac51035ee3e092a6e44f7fcb4aa11f07

SHA256
586fa69d65b253ca4c2aeb82a51f35a47adaf81bc5f07a511f8986d11a275a8b

SHA512
4c8ee3d3b9a2dc5657d3e900fdec7a4cd76b5cd80a300c20d0c8b16dd119d51fb9946ce05ed4477beed6247a289cb48716f5b4a3a65aaf4efb9a1b49927e9309

Download Submit