1d9c9bc4f5d6871bc4bdceb7992372caca642080c836d78753ea64520019d2bd

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bf9dcd60dbcc755e8d44081817653a0N.exe
Size

55KB
MD5

7bf9dcd60dbcc755e8d44081817653a0
SHA1

965c54e1a703609855022a62be134d2e66ee4f04
SHA256

1d9c9bc4f5d6871bc4bdceb7992372caca642080c836d78753ea64520019d2bd
SHA512

f130f1fd54974adb7b8830a0750dd5024358fb4d64fe9dd99dbd6b343966eff6ae123b703219dadcef39b35767b9ffeddde6edf40846d2c09865e7174b4a1fc3
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpVF/MF/3Nw/Nwk0aEMdV8IEMdV85/V:W7ZppApBULcfpHLcfpX2/Nw/Nw4xu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4367) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\glass.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	7bf9dcd60dbcc755e8d44081817653a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bf9dcd60dbcc755e8d44081817653a0N.exe

C:\Users\Admin\AppData\Local\Temp\7bf9dcd60dbcc755e8d44081817653a0N.exe
"C:\Users\Admin\AppData\Local\Temp\7bf9dcd60dbcc755e8d44081817653a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4384,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=3056 /prefetch:8
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
55KB

MD5
d5faeb5ef6ac61c1f441a40a554a9467

SHA1
7da8c1f6ee66964cc9df64e3d460f31ce03211f7

SHA256
5e781ef383d9f725a8f5ef061d3f68354652411d213161c17dfeb7410b338dc0

SHA512
29fcffea841dc11412ef030762d7a79abe029167c1e8c7149b5bb322a058c8e9747d311f93cecadb49e54a7edd954293faddd2cb6f05259705db4aac028fe473

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
168KB

MD5
205da9cc10f56936664e2d628dec8e73

SHA1
051c463fe6313d9c696cdb079a12e23aa0ce7243

SHA256
94d4d4e60fa280758062c42eecbd138b078b65a34a83806c8e3fec59dc17a78c

SHA512
dba8d9245568d63da67c03c0aaa2371bba0b8bb17977591cab9c0ec48fb19fdc8594ebb839e413d205c53ac4a7b7d58cabf296c8f44bfab7c8a81eeb91f40974

Download Submit