49fabca6775fdfaf132c807f3fb54e0f9ffb726496baaab4dab69ee508e2b563

Analysis

max time kernel
119s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53a74940f47d612b50f5794fe9dffc30N.exe
Size

57KB
MD5

53a74940f47d612b50f5794fe9dffc30
SHA1

40fac89ac8218257e843568e43178e0c7be18e57
SHA256

49fabca6775fdfaf132c807f3fb54e0f9ffb726496baaab4dab69ee508e2b563
SHA512

bca39ed6433567950c8d967c93dbebe62af36a9688d6d886abd369876a09fbaccdc7e9c00cfea25641e3f139883033684c6adfc04e5403c19139978109845f10
SSDEEP

1536:W7ZppApBULcfpHLcfpX2/Nw/Nwmx4ja0tKmmjvja0tKmmj0:6pWpBwchcV2Wxz

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4620) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.tmp	53a74940f47d612b50f5794fe9dffc30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	53a74940f47d612b50f5794fe9dffc30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53a74940f47d612b50f5794fe9dffc30N.exe

C:\Users\Admin\AppData\Local\Temp\53a74940f47d612b50f5794fe9dffc30N.exe
"C:\Users\Admin\AppData\Local\Temp\53a74940f47d612b50f5794fe9dffc30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
57KB

MD5
69fe33535a11637cbe6a5337f9f57b74

SHA1
2dfe9c4201e44d0ddb757b24f1440303221ff49d

SHA256
6e4abb12e38c237c8513bee48efbab8ede8d6b68412f227caf536c1245e47650

SHA512
683f4adbf6ebf9c5ca55ead4c8f72e8c318d8de34af6d604bf797aa1070b2b827a2fac339dec606008098ef0c7e6070be83e53a497700f3e5c93e3b7c7d9c6fd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
a56fa5a26950343aa420973317101655

SHA1
fdeea23c18b14852d1de6615013baf454826c91c

SHA256
981a1d87435f954db9a06cbc1b162a81752baedb7d96f7a0fb6caa3688900001

SHA512
c30ae6832217675faac51cceb59636ce582ee49de53dd9e030270ea4800ca75ca724576925f383134b82b6880bcffad34ed63d38ce599c369b99599a2e6a9642

Download Submit