ce88bb9d0eeb97c930ae5e3c541b5e4e96f3a1b90f74cdd2e92e29770cfc499d

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

682b9d802e02c67014f68c7ad6c05950N.exe
Size

42KB
MD5

682b9d802e02c67014f68c7ad6c05950
SHA1

ab4f98c7e5f37773b38c56962ffd60ae81002d74
SHA256

ce88bb9d0eeb97c930ae5e3c541b5e4e96f3a1b90f74cdd2e92e29770cfc499d
SHA512

d76f4ee94d33f9082b3ed7a3f6e381491ca399c3bf423816931d0a96551d329e587e63431b243fd6a56afb9bec7bda653392653ca92034d1ea10a9ad2f96e002
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBN10wpAp/lvolGClvolGwTCus7sczBEQgQg:W7BlpppARFbhbt7Y7wTCnBE3X

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4690) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\ExportUndo.dot.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_100_percent.pak.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	682b9d802e02c67014f68c7ad6c05950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	682b9d802e02c67014f68c7ad6c05950N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	682b9d802e02c67014f68c7ad6c05950N.exe

C:\Users\Admin\AppData\Local\Temp\682b9d802e02c67014f68c7ad6c05950N.exe
"C:\Users\Admin\AppData\Local\Temp\682b9d802e02c67014f68c7ad6c05950N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-807826884-2440573969-3755798217-1000\desktop.ini.tmp

Filesize
42KB

MD5
bc0bb492b9fad2ac3e34551de28607a2

SHA1
960d0ffa6e8334c42be6f5f7bb09e77cbe7d0e14

SHA256
2854c46f38cb32a9eedf53705e20c5319a38550cb53edd4690fdb268e34bde89

SHA512
078c409e515a2c4d29fcc6314483be1bbda7b5aa3967c5380122d32b9f0352f4a4dbeea62aea1c5b73c8dfd5696c11da9fcae60bde14d3bd494939a74a86e8ac

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
0536764ace26221b714f287b769dac4a

SHA1
b28c9af749faf1f8aad2e05300542373595b996e

SHA256
9e770356bae3d772b8daf2eed7f6feafaf75b64022c1f50976e9a872fcdeae1e

SHA512
3b4eaec8ddfc1c35034b6deae835b9096d9634da064dfcc196fd1b856001726309a29e289978bba77425997571e2a8eb4ba4b149b2a2c6806a8c139b5cd61f74

Download Submit