b8ef13a9b3bccc13a0184f7b9e4847941b48f8020b260202e25a1da62847d9d4

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 21:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b42360c7d28dbe14a2df92bf0ac0f10N.exe
Size

68KB
MD5

0b42360c7d28dbe14a2df92bf0ac0f10
SHA1

e628715d0bbd98309a1aa4d36b9f7890e199915c
SHA256

b8ef13a9b3bccc13a0184f7b9e4847941b48f8020b260202e25a1da62847d9d4
SHA512

8655ef29ba082d7d48413af648bcfd13e6cabadb60db057591d63e72e9626d1b8e85febea3578ce8f319417dcf71c0d47a8f6bed15d974bc3783f51649d70e2d
SSDEEP

1536:W7ZhA7pApMNcH6gW4Wvs9s2cic8GhGvn8:6e7WpMNcK9vG1WJ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	0b42360c7d28dbe14a2df92bf0ac0f10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b42360c7d28dbe14a2df92bf0ac0f10N.exe

C:\Users\Admin\AppData\Local\Temp\0b42360c7d28dbe14a2df92bf0ac0f10N.exe
"C:\Users\Admin\AppData\Local\Temp\0b42360c7d28dbe14a2df92bf0ac0f10N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
68KB

MD5
097463617925ed4a50de656a7b8d50fe

SHA1
ad058da2512b8c7959673965682351a636457c0a

SHA256
2c16448d6cb66bba877f602554ac60dd2021294ec86fa01719178c2290f3fcd0

SHA512
db22a851e93d64b70ea5046d7c19eea6bb884755f71d4c9377b260c48e52d893fc94c03bec7d56c09bb398bce750e2239ede52aac2f54bd130a0415400372d0b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
167KB

MD5
907ba542425c3fdae7df258d2628068b

SHA1
0982a218abf884fa9dd06e221ed63f373e092ac9

SHA256
a97a26b39ace567e971dc2459fd371e1caf4734fb3ce419c93a2d8290d7413f2

SHA512
039c92a8101d622c8482392ccbc045f1c4f08d24eeb6be06a0a241ffb67c1d3dd012c8dfe036e019e6774d24c9227d42da65305e5392965c9187c3489f7050bc

Download Submit