7e0a4f40aaf10c411ced9b097b12a06e7d78f00c6b329a07547ad842f2391f60

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 22:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

192f1508ce9f2b6d61cd163da10608d0N.exe
Size

110KB
MD5

192f1508ce9f2b6d61cd163da10608d0
SHA1

e2f5c0a190fb22a3a17e54e61200d04cd60404e2
SHA256

7e0a4f40aaf10c411ced9b097b12a06e7d78f00c6b329a07547ad842f2391f60
SHA512

4099f201b3ce07bb4cdc3c1a3fbc547626481122730ea490edadba0efc9a863e1c86ecc0e09ee090ef22978e30d1a7d3b81cbd5b25e468bbfeb67303d0739312
SSDEEP

3072:6e7WpMaxeb0CYJ97lEYNR73e+eKZOf7fYxw:RqKvb0CYJ973e+eKZOf7ft

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4306) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationFramework.resources.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	192f1508ce9f2b6d61cd163da10608d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	192f1508ce9f2b6d61cd163da10608d0N.exe

C:\Users\Admin\AppData\Local\Temp\192f1508ce9f2b6d61cd163da10608d0N.exe
"C:\Users\Admin\AppData\Local\Temp\192f1508ce9f2b6d61cd163da10608d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
110KB

MD5
31ef05359e6373beb9be664005de99c6

SHA1
ce04b725269b81f5150fafd8d4805617eb8222ca

SHA256
1fc546cf0efba7f43abfddd18053f0d0b4136cc6a4cbb7465644e795dc14a32e

SHA512
41be0f9dd15a897c80cdadd128168380febcfdde011fe84b87f5bf5d9a3ed94d01fc027df13c9a8f5ac5e35f1165ddd5569253089990c714a3b496345b6c564d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
209KB

MD5
e3ee025306f7f3eeef956c4b7f4d618c

SHA1
42daa2cf1e65ec8f163f0e880b091ac16973ed04

SHA256
2fe7e67790908c4605803a589f45a3d2e9d013874d10d17088f9dbb203c62d8c

SHA512
b610a97f717f128b3d705b6a2fc7a8e1e40abe891514c52080db5dc02f0b09875598a2d1445e02f92e3c3a604379607de72d932da51c2c272a82b98dc8edebbe

Download Submit