87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
Size

39KB
MD5

16bd8acad5ab35fa56fddd1eadfa37e3
SHA1

d891ffc7b72f4c728f646c7b23c73302c4cf1d1c
SHA256

87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c
SHA512

dbf6314ef5fb469eefc479fff3d762393e263b0c1e1d85aa364abd534252b41c2b015a433bee12c632224e190bf09d2a44cf2e509d0267e4bc43b73848726833
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLUtg:W7ZppApBULcfpHLcfpyD3tg

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5348) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe

C:\Users\Admin\AppData\Local\Temp\87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe
"C:\Users\Admin\AppData\Local\Temp\87364b575c14a26fa181442fa23a8031707e450f18f87e2dfd4d11718f851f4c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
39KB

MD5
8c6e193f0f38e3c67b9e7eb64af1240c

SHA1
1b6f512ab6f7445e4c3ab7f762e5b03063cb380c

SHA256
daa2fd39bb54323b8256f587fd38e55912954203547b955c5a7c299295d3338d

SHA512
a9786f9ba572d4605b4b7ed89092991028abac2ed1309602d38b0e76956327cef4eac9d32e4be9da6210b180666fd9226f1a42699db58063bf4a5554b88e941a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
4b8549089998275c2c8035b2a1cbbb13

SHA1
31514fbaf0c494543726a63b1a4ab89215c1d08b

SHA256
bb50b70d97aebf651b199ce475c0fe32de4b975d851dd3949bd24151a7c388b3

SHA512
38178b0da9dada7d78be751172689d96f0010c5f30c58a53bea3effd9fbac31f205a845a601348e67d6202abced7637b0450f5675252ac840af9d6441cd92986

Download Submit