15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
Size

56KB
MD5

9c1f3e505245a7e736923298680196f6
SHA1

cb92957065c6e98c0372429d0ccfa51deedfc7f3
SHA256

15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f
SHA512

bbac10d1fc72b25ebe4d2486b4437f57b82fdd3dba515ff4a6ee0b2a49b0025ef7ba4554425d73ab1b4bed463f2740c6aac2fe94da7ded696bc8267355f98df8
SSDEEP

768:W7BlprpARFbhJ68nNIreUYEreUYX1na+3mC+3m5:W7ZrpApJ68nNIreUvreUunT

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\SalesReport.xltx.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl64.dlla.manifest.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Resources.Extensions.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe

C:\Users\Admin\AppData\Local\Temp\15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe
"C:\Users\Admin\AppData\Local\Temp\15483cc9eb89a9309b1a032884d70113b75d900feefa49a3b0655c8ae94b694f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
57KB

MD5
01c447454ea1c7196d4dc6701657b088

SHA1
84cb9aa6f6acc374ab42d61be602aa0b4b1356bb

SHA256
ea1341dfbf6137e29a95187cefb6037f2d4a50f2484afa4f37ab5e92548b68a4

SHA512
2dc558c65fa277e202fc869844fca6c9f80cb1d44a88664fbc6918f9194d0ee814cf200ef986973b2185512eade5cfccde9053dbe17da3f0351686ad5cba48f8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
f60b056de1fc988eca9c8fe7d29d3bbc

SHA1
459fc561c451515e7b591de4c07ba860b62f4891

SHA256
7beb7bed367b047f3694673f9f8317e6a79bb7802ccbeacbd8646fdab6d96ee4

SHA512
2a011d35f7c8a22c5c4012b20dc31b5ea9ec8906ac3d4111180d1bf21790298a1144e461ce144a8c475b08e927665567466ba5bb8ee86fd1fef568710b193718

Download Submit