e67efa169a1d2e25141a4b83616474c90cb9e215609d2052fa66d467a6244fe7

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

864780c3bfb3f858695959432ca92690N.exe
Size

64KB
MD5

864780c3bfb3f858695959432ca92690
SHA1

fd7d5b16c4b1b2ab9974a0f3bc72fbfc7394227e
SHA256

e67efa169a1d2e25141a4b83616474c90cb9e215609d2052fa66d467a6244fe7
SHA512

8d34ca285a52df6a072b8fa496b8e0bceb02e0367597135fc54d83bc6468ba93a7001763bcf5917e1958076064e6f005d62d22bab363ceb49a504e76d3a8e86a
SSDEEP

1536:W7ZppApwEwnmJARJAaXxXNJdkCKPuJdkCKPm:6pWpUnDXxX5

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\LICENSE.txt.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	864780c3bfb3f858695959432ca92690N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	864780c3bfb3f858695959432ca92690N.exe

C:\Users\Admin\AppData\Local\Temp\864780c3bfb3f858695959432ca92690N.exe
"C:\Users\Admin\AppData\Local\Temp\864780c3bfb3f858695959432ca92690N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
64KB

MD5
83ae2aacd6bc889861e3db76aa9a6a95

SHA1
b01c0c932850758a22251abfe94ac04e42fb190b

SHA256
ba0610ae71aa0d83aed5ddcd5a785171d6ab14ff6ca4ce9f01760c127d11eeed

SHA512
71a55acc4744a9eeb4a0ee99f5c701c510b98f6f1e5c1b75958daa8fe168855d08bdfd3c8a0aea2c85b4c6ef44bdc38e7688b1f1828afe6ebc46fc8e396a0e3a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
163KB

MD5
4164dae00d8d7e91fa500ad13296bbd2

SHA1
58baa773c3c2c742779d235fbefbf723af6ef072

SHA256
8aeefeb018a60a3970d20da052b96a7d70f4845ccb58dcfc5b0da1672a506859

SHA512
bdbd271b4c2f6e964ba467c56e389b1b8553256012bbfd0f5afecdf1873cbc42f4214b540a34ceeab1edf611035a77665b8f3983ff13853f0674aa8747ad09c7

Download Submit