5e684542434283de76e6e55d0742067b75f7aa63088c67a124bc0e7c9d0a6220

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35d7d7f028c52b20c1fe8c8277c8ef70N.exe
Size

38KB
MD5

35d7d7f028c52b20c1fe8c8277c8ef70
SHA1

5a0b99483e2654433757722cbb3456ca860305dd
SHA256

5e684542434283de76e6e55d0742067b75f7aa63088c67a124bc0e7c9d0a6220
SHA512

7cb21f05b98ac2fc65bea597fe572acfc5e7a980d3ce6e87f89a3b371df5c59ad5264acaaa2e05f186e168f40475039f3d6404533a27ade38d57ff91af7d7299
SSDEEP

384:GBt7Br5xjL9A7AgA71Fbhvn+nDm0CAmmLg5Ms7spsZ8HYGkqvtJ+Jnhq:W7BlphA7pARFbhOm0CAbLg+snhq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationProvider.resources.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	35d7d7f028c52b20c1fe8c8277c8ef70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35d7d7f028c52b20c1fe8c8277c8ef70N.exe

C:\Users\Admin\AppData\Local\Temp\35d7d7f028c52b20c1fe8c8277c8ef70N.exe
"C:\Users\Admin\AppData\Local\Temp\35d7d7f028c52b20c1fe8c8277c8ef70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
38KB

MD5
31ba328b23b78e90b451afeb530663f4

SHA1
f33bfec45ac89c05ab0a3e2e4163e6448b744bbb

SHA256
bfa50ec2c59f1769b1cc92d11e1627d3360315ff235fb988b6b8939f59871ec3

SHA512
0e303e03d776f03a0142a6815407c352b3d80653b1397d483488e1f9a363a78a8d2ae94e8b7143a9f3378e0ebcb66f4d5fd08a63030ed271599295925fa6cec2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
54141edddee9fcebbf5071649e7ba75f

SHA1
1138a3244dd0456943608cf6cdefb8a42521a7f9

SHA256
46b7a595c763464722aa917c1b964c2757e0f5798cf4fac8bce63779a8c4a1ef

SHA512
f5db4ab9d9c96ff56d4659f7ba546e1ccb97fd909ddfd4928606ea3211c6a0ef8436359dfa0fc75dfb27b8c5f207e537e098629e77de05112914a23b5a5adf8c

Download Submit