e75c53f4c0c9e45997ff3cca907ee523e9970ed5e1e4038ef82353b41dabf0f7

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c2832d4d0d9f356a20bc35b684e3300N.exe
Size

2.3MB
MD5

5c2832d4d0d9f356a20bc35b684e3300
SHA1

6f9edbe1d74fc0adb1aa6ce99a0a35f747dfc89f
SHA256

e75c53f4c0c9e45997ff3cca907ee523e9970ed5e1e4038ef82353b41dabf0f7
SHA512

39cd11fbc584e53f05a4867b422af5da33e62261a23c206af053a3a2590ac55a494bf6ae115fc0a37f7f7c115be09208a1133d836f521683fb6b3b412f86e2af
SSDEEP

49152:xJWQFoNRlYmCEruP5m9lMJWQFoNRlYmCEqv:x08oNRJX9lM08oNRsv

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (983) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationFramework.resources.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\DisconnectMount.pub.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	5c2832d4d0d9f356a20bc35b684e3300N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c2832d4d0d9f356a20bc35b684e3300N.exe

C:\Users\Admin\AppData\Local\Temp\5c2832d4d0d9f356a20bc35b684e3300N.exe
"C:\Users\Admin\AppData\Local\Temp\5c2832d4d0d9f356a20bc35b684e3300N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3881032017-2947584075-2120384563-1000\desktop.ini.tmp

Filesize
2.3MB

MD5
9473f9157e8912a31f1b928b363deb1b

SHA1
cba35c3081ca884afc90363e5f69b7fe4b6f3936

SHA256
3f57a87506b0e24b5549923d41e721eec52d3fd81269e0eaf92e91b4dcbe6fc1

SHA512
a515b24238fc65430659dfcb8b8b9ead2f18647a4346d357e9c2e1c94a19dd844abbecf1ac6d45ad79d27cf3f0c5cfe05f1449e3c2b2bc073dd53f43732387fe

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
2.4MB

MD5
5b9458936b7b19909575be03d3dfb29f

SHA1
7c9f63ef2b25651e44a0debb0ff9d971a78f8c74

SHA256
44dce0fce8974d206027e496e5efb4945f5868052cff4a027b1617ed12ad6cbd

SHA512
ad79bc2b4e3c4ec68c12d2534ce2bc41a6a868e1d5e857e0b613990416e1d048cf1c156043600fdd00c1b26a59805218e23b095ae9245e5491fa93f69cf39d53

Download Submit