45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
Size

85KB
MD5

15b0500472970e36db4523e54c5f50c5
SHA1

0085a748187dae428b27736468e825461b242875
SHA256

45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7
SHA512

f725c839b4cbf26d285d4e93ef83ee72b94a4b1e9057ed1aab00a2efa1ca4cc85c0c12bf098f7ba7d28deb9554011ff599b8957392bcbf62dea8f277b9ce2bdd
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+ejy0Wjy0WzY+:6e7WpMaxeb0CYJ97lEYNR73e+eGGN

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4830) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe

C:\Users\Admin\AppData\Local\Temp\45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe
"C:\Users\Admin\AppData\Local\Temp\45d8b8bc7cd8ec7691b9962dbe000d3dbac9bef966c419483fe3645aaf5263a7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
85KB

MD5
3a3ba98d2e4de0859e2555e305b7c040

SHA1
8ccc9413dd0c90d1f83f2d14a6a354a5c00fb3d2

SHA256
a5981bde40724d493b3fe3d68ffb8221a027c55c09f1f7bdada99a19b5546b6f

SHA512
f190e3e92c80c098735f4a503b04fe1564f4eec37e30cd1d57a11f4f9be5de85fb6a8bbbf3226eef353138eef9bd48885d13fb20f9d7ffe154fcea01d2a577e7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
184KB

MD5
5f6dd5f1aaf0665edcb3c7d283e53f59

SHA1
a9aeb0c80955188ba1ee6ee88c56732ba5df01c0

SHA256
d0d48ab2d01d395187a9d5fb121a5491e6838de4644b3f6cb83499201647e1b4

SHA512
e1d7b73432a6a65f58f14379224b4b2f0f861fb12961f5169efcb10c213aa8c628dc317e22bd932f7dc9bd9e31f6d5043b5796ea805f54a2266d9b6f152e2048

Download Submit