61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31

Analysis

max time kernel
150s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
Size

58KB
MD5

dc6bfefbcc6695aabbc05a0723c9df36
SHA1

21d1212faee145ba147171ee5b15707b534ad30c
SHA256

61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31
SHA512

8e945c7a5eab7e45d5936e3909ef5816f9c8f42ed99ea8c7570d085bfca36fc3d2bcb293ab0cfd2f3cfb0ffdfd1aa621fb0e7dbf47db2041fa0963b6bb5f540a
SSDEEP

768:/7BlpQpARFbhq1KX101je2/Qdme2/QdAe2/QdDe2/Qdme2/QdAe2/Qdqx:/7ZQpApq10

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\readme.txt.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.tmp	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe

C:\Users\Admin\AppData\Local\Temp\61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe
"C:\Users\Admin\AppData\Local\Temp\61495835f77d1b8a3f1e54b233900a154d5efa191f02f0f5cc6dd3cc74c2dc31.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
58KB

MD5
821324caf378e92786888a52400476a1

SHA1
700684ae407abd80e6ea4da6e11081fea2255895

SHA256
a8d4a456b598831cfa7b74fac24a009147d9e31a9f4790f46b651a5848e8d0cf

SHA512
582d695f6a32bcd7ea738039e21a9b9dd11814db376a9ff4cf0c62d2068160bda2ba1fff48668b2d9ebb677534eb6c78837180e2dcce5aa3a91b43d99a7a8f6c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
157KB

MD5
56f072e1b572fdce0fb9682c95d7fad2

SHA1
de46ed8ba95b4133d1e2c2e123ecbbbee3ce15b7

SHA256
5f319e3d79c6733d09979419f27c7899f3fc55bd451549cbb2aeda7a46311772

SHA512
29b89e3ca9dbd3ed00dc536b23f887eadcf57fd9cd711caee0564c24857acbcb02e343d56a75a0e7dc042a53e9b686dc628b301f3b73b971f9de310e2127679c

Download Submit
memory/4636-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4636-1936-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download