7ae5041f1b1e47105bed48c1a7792eee5ab0166b53f478540df6860c1e564525

Analysis

max time kernel
120s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
Size

135KB
MD5

828fc3c2ebeaf0fb3b58109ddf9c3d80
SHA1

0f753b9f39f2dac6b34b28d7e14fc76532bb2021
SHA256

7ae5041f1b1e47105bed48c1a7792eee5ab0166b53f478540df6860c1e564525
SHA512

a118edc1b807002116abcd1200badc147ac9b547c2068cf900f44454d813b1a8d3fae1fdda8ee5aad3a3fb3e86764c88f4e9938bc319759f91dcf806ba5c3315
SSDEEP

3072:6e7WpHIyRF9ESWu0SWuDmSXrw3Mtr0s8P43C:RqlIyFESWu0SWu2s8P43C

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3740) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\af.pak.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe

C:\Users\Admin\AppData\Local\Temp\828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe
"C:\Users\Admin\AppData\Local\Temp\828fc3c2ebeaf0fb3b58109ddf9c3d80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
136KB

MD5
d8425382a5fafcb80897f55d75517fbb

SHA1
710e708c6b686472bd8fa9ab2682cebb806c2683

SHA256
1cddf303bd1786f027e99e03eb4c7a12b89be0871d9f3131c19bd73a0b013f2b

SHA512
f60ec4c816ae6f15158a4216e528a37ff7674645de979716ae6914232180b103c02375581f601dcd86ba2f01ed6708cfbd75d8db2b94a689c1fe82544ff41ba7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
235KB

MD5
0fec8506750a562444bc50d1e4730514

SHA1
f7a0e7b6cea7d7c1ea03ad4ed72e00068dc00bf6

SHA256
6801aa23736b31d0d1d51e3d070318de1ab10a6b7fecec29b44a7c607cc7e32a

SHA512
ac334c3725565cd34ac1e4525495ea66803348822e2d12dc31972f2eb1f62406810d30a69accd3392f985ebf03960fc12535a7d4b9bda6889ee85d270c23a4e5

Download Submit