d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
Size

39KB
MD5

65024eac5c14c250710367aea81c345a
SHA1

6a3e0778aace114e507735ba0dc7d04460bcb673
SHA256

d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e
SHA512

68674df5707d53f3eb0a747bba3c672c16d84fdebb2b877c622e3bc918a00b0fd46f888268f1b8b2dbd9c560a29668cf664413b43267b71f7b6365ae24c363b8
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLq:W7ZppApBULcfpHLcfpyD5

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es-419.pak.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\JUICE___.TTF.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe

C:\Users\Admin\AppData\Local\Temp\d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe
"C:\Users\Admin\AppData\Local\Temp\d426b3052507d0948a92165c9d2b4a5567725465900598e5c5823de44665ce7e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
39KB

MD5
83fa4398d20a86522c3789e810ffae7b

SHA1
beac36b369d5be81e973ad933451cf811be906dc

SHA256
ba0eb588fd71ef9bf2159a5b314ad5666003ba6e731d0648e2471962757134d4

SHA512
9d9543f96676bc40c050f67f95bd64d994e4870ad5aec9a5dd4451cdf718f6819a9c5fded4b728fa60c69dece9fd3e2f5b5f2b08b939259df63df89a676eeb5f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
34dad74c892ef0559d32c452c136e192

SHA1
5f0f8fbd237c9f731a13bf62a7641b3e57b044bd

SHA256
827b5b8d3d79a83adea70e3d28f870fe0ea6ab5416db2f717b74d8a33f97470b

SHA512
39d6e30bcd7bed80ba12aeab79fad93026fba07dfc26022bd8d3eef6bd711da09263f26013c17bdbcd7919eee3bc8cff2f1e1d13dcaff337e495d33853959ef0

Download Submit