8464a63312843e91a530c70d65297b1a244c25479b4e72a299c6c10d4e7dad90

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f8b992d51b063286a1f4299e633d5e0N.exe
Size

57KB
MD5

5f8b992d51b063286a1f4299e633d5e0
SHA1

8886a70b3de102d54361cbd1153b003157f0cffb
SHA256

8464a63312843e91a530c70d65297b1a244c25479b4e72a299c6c10d4e7dad90
SHA512

9dfbfe340ef48c9eb07c7c3f5806bbd51c6df44b838a46ed31a4057716adf023a7ed80fdce298f1705cfbfb731a7da3869ab57955b07af78765341620b53b542
SSDEEP

1536:W7ZrpApojswv0EhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsx:6rWpcsHEhLfyBtPf50FWkFpPDze/qFs/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp	5f8b992d51b063286a1f4299e633d5e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f8b992d51b063286a1f4299e633d5e0N.exe

C:\Users\Admin\AppData\Local\Temp\5f8b992d51b063286a1f4299e633d5e0N.exe
"C:\Users\Admin\AppData\Local\Temp\5f8b992d51b063286a1f4299e633d5e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
57KB

MD5
a34aefd52246ef173e70e458d3c793c2

SHA1
9f578dfe96b51bdbce58352ab4427dd46fbc51ee

SHA256
e705a09dfb9bbd8fcf12c7ab390815ae303c4b0f707ee4ee923b22d4aa1f2493

SHA512
ad3e231da8e8207f93b10db37e3453652c85c9ef95305a8e69136ed52468fdf0af335d3c7cebc0ff3274c8f60b69a69455e24b1c029bc72b72c9799317bdc439

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
9a90cb08aead1fb3041ef7a28a6e3374

SHA1
bc2ba5954496dc00587b4dd3035a4af24eb2f94a

SHA256
e30a7d4ce47c43c88be7ea7be44729b30b47f549fde46b756b6515bcee5e25f1

SHA512
f8ee381b5256021bc553184ab2f12b180b1a90001e154200af367aa28e9c3ddff911e23bb949bcf4b6a44bc9387cd37139e7d139f6359700459f352aa62fc350

Download Submit