a8fb0312c0474426caff47a03a23b7a237e32fa1fe163525e6b365aed06956d5

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76c7f3a500a3d42b82595fdcb84b90a0N.exe
Size

42KB
MD5

76c7f3a500a3d42b82595fdcb84b90a0
SHA1

a25a720688bf9ff9bbcdde5356a45495d4b9ac04
SHA256

a8fb0312c0474426caff47a03a23b7a237e32fa1fe163525e6b365aed06956d5
SHA512

93d806bb88e6dba84a5ef5e30717d40dccaf1842ecc20bb7d6694fbcd323fafdf78cf482c2a4fd41aeeafca05837177daea31e3927d47ffdaf239d058740c08f
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpT4wWJ:W7ZppApBULcfpHLcfp5WJ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4727) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\ClearShow.ADTS.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	76c7f3a500a3d42b82595fdcb84b90a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76c7f3a500a3d42b82595fdcb84b90a0N.exe

C:\Users\Admin\AppData\Local\Temp\76c7f3a500a3d42b82595fdcb84b90a0N.exe
"C:\Users\Admin\AppData\Local\Temp\76c7f3a500a3d42b82595fdcb84b90a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-807826884-2440573969-3755798217-1000\desktop.ini.tmp

Filesize
42KB

MD5
7e73413e6a5d3418fb028785cb6c87a0

SHA1
24387e638586396ad861ab9c298e7f0a1c45a202

SHA256
814ea1aa547c0cc09a486ef4bcb3ad5e63b0d6cff9e373af3caacbd087531e1f

SHA512
b2a40815e5975bd0603282c551e97ae0c016db823bf0359c596583a01642c5e40ee0aebc78a360425b8ca4ae81ddc037dd0e34c6780ae225e223df74c093bc4d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
e9dc192708625917dad56f10f589c81d

SHA1
6f23a503a9dec159f4482ee93cdb8dc0776f0186

SHA256
a24ab16d54389e361a27cee8b1c233fb11ee3ba77c27a0b5478369084fa66a9a

SHA512
5e07f47bea9749dc9ab15750ed243399993708607c2aa74429e4f61807106becf3e16bd938844c65197890ad310d392f16fb3d07238e878b937897c85cadf0f7

Download Submit