121e6d7aa1795f37936e297b119adb12a5dfd6a2c5b915e47f4f752eb4a95289

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cfa95cd174241c3a719e246e0bf9500N.exe
Size

92KB
MD5

7cfa95cd174241c3a719e246e0bf9500
SHA1

80477eb4239e5e5b44500e50fdc12e8b08166d80
SHA256

121e6d7aa1795f37936e297b119adb12a5dfd6a2c5b915e47f4f752eb4a95289
SHA512

a850ef2f2993b1a60ce343f7d7f08a1f4b4432b21b7698d8467a052bd3dfc910c43ac4bc6c62317e29a1cdd9a24d9c0556dff455e6e645a9b15c80d3eea677ab
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+eJG/x/HfFpsJOfFpsJa4X:6e7WpMaxeb0CYJ97lEYNR73e+eKZHfFM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4533) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp	7cfa95cd174241c3a719e246e0bf9500N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cfa95cd174241c3a719e246e0bf9500N.exe

C:\Users\Admin\AppData\Local\Temp\7cfa95cd174241c3a719e246e0bf9500N.exe
"C:\Users\Admin\AppData\Local\Temp\7cfa95cd174241c3a719e246e0bf9500N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
92KB

MD5
2da9797eff346c677f285b882457b0e1

SHA1
6b18df994c32e2d7cf2e0b6d393221c8586fe253

SHA256
4e3f987e43973d1bc81821a6bcb7fdf30546ebdea0dd48afa9a3f553345708a2

SHA512
9658d553b9f72290a31ed363c5bddec0545d8cf89efa03d359debbc66b459f78c09bb2d40367311c43b3eaf8dd1ccbc387d885548eaf5ce007974c5edefaf106

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
191KB

MD5
445dc7036923f0f44ff7318de7ee483f

SHA1
168b6cfd1748ffbc84ef289dc0f8c019f800df14

SHA256
7625aa702b19b2e7338870bf0b6a1c066d474e4d94d92709cc64f9d1f6925f7b

SHA512
e10440419117f3faa3abcf0088e12fc786dd79cf77b750e04d273d5476d90cbe804e7c8688132340edc7b0d9198a36748f4da213ba807d55bffdaacdb570f301

Download Submit