a2b4815f7851dede8afd3996a633b737e4d92c9576d7c3832bde454c7beabfbc

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 10:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

825d14dc71a4be039591493acc92f780N.exe
Size

59KB
MD5

825d14dc71a4be039591493acc92f780
SHA1

15d877f0ce39adc968360993a4ab50b4fcc528dd
SHA256

a2b4815f7851dede8afd3996a633b737e4d92c9576d7c3832bde454c7beabfbc
SHA512

b9c91f2e34ea0b2240b68e34243792aa02f4718438ab747b639573beeb5223f53ad655d9292e1d3a8c2e09baadc2ce029ed3f4625d2b426581e1d7d5d34a1bc3
SSDEEP

768:W7BlphA7pARFbhOm0CAbLgsNCSNC0K+R8PERuV3u5jwhh/EPP/E+vWi+/E+vWiDv:W7ZhA7pApH16m3ueTg/fu/fj

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4664) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.tmp	825d14dc71a4be039591493acc92f780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	825d14dc71a4be039591493acc92f780N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	825d14dc71a4be039591493acc92f780N.exe

C:\Users\Admin\AppData\Local\Temp\825d14dc71a4be039591493acc92f780N.exe
"C:\Users\Admin\AppData\Local\Temp\825d14dc71a4be039591493acc92f780N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
59KB

MD5
857374835adf64cfdb3b6eb31af7f251

SHA1
e78e8b19554e9fc3fe88ffdb7637d318053c5d74

SHA256
ae31b24c7d5118c685f694c92421da99f9f3a5987a6e6e54582e4479d1b6cdc3

SHA512
fe0eaf43619ed0b350050bee534f00dcb56c86ccd107ffcd39840a83e1ee0304fffc302719eaa2d5bdf76d276f0b603507bbbf98c3b6a9ea9dd2db0ca07eb7f3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
158KB

MD5
a9ae7d74ed0ad9518ad84f6bd0c226bb

SHA1
ffe53870e551b376c047e4c55badce186ca6d152

SHA256
0076d24f85392047c196779f5f59cca4df2ff14ca6a37df57fd188d09a2c18cf

SHA512
29724134299ec8f24af308714b8ca9464d7cbac20b0288337c52c273f5dce4d2fcaefd50ebced0b67298b96f587f5d764f7d2a20535524741df2749a4fa8df04

Download Submit