4469794c294997ee7152982d6a06996841f4c2c5bb2be355124167d6ccfaaf98

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bf55a05526a29e56aaf575243d59790N.exe
Size

50KB
MD5

7bf55a05526a29e56aaf575243d59790
SHA1

e55228447a2d4992371c1c7e0f4419c537945363
SHA256

4469794c294997ee7152982d6a06996841f4c2c5bb2be355124167d6ccfaaf98
SHA512

d5f2ab37cd5a4bd933735bf34e1b7e9e2252664c903f9bc3fed02aa0b5e47c493d7fa924d5397147c4b1ec5cd1721b725263dc8321a7528be0db1de5a7e14402
SSDEEP

768:/7BlpQpARFbhn54fmiy+3BVr54fmiy+3BV6nE101/:/7ZQpApmi6n9

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	7bf55a05526a29e56aaf575243d59790N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bf55a05526a29e56aaf575243d59790N.exe

C:\Users\Admin\AppData\Local\Temp\7bf55a05526a29e56aaf575243d59790N.exe
"C:\Users\Admin\AppData\Local\Temp\7bf55a05526a29e56aaf575243d59790N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
50KB

MD5
3503534f5b0bd790d9b4f15dc49b7ef4

SHA1
4278828f943725ac6b82df95e5b4f567bedf9f52

SHA256
d4213e03452ab7ddc212589fd839dd9cd0d8150891e684fc150eb6ba41ec152e

SHA512
83e28157c715a2d5c8ce2c489dfba0f8ee5adf5b9d380126e8ff6de8901ed13f81cf58e05744fec3f8fa0bc066d9e1883b146e77f4cc5840f9ab4bb46742016d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
8c38549424c04ca0bd1f347f1b1f0e60

SHA1
f6155e1febd31850747fa6dabd03b18e4afdce3a

SHA256
070b396eef02718c713d4bf9297b816e278e1662c8eed329eb40c087d9986d94

SHA512
301d166ae064f5ee0a59cd683b1e433e93d0bf5d9cf53c5f384a4c5d4b501f64b99713471481697110eb80de9882d3d6ba3bf6dc7e4409f0761de574cef34f3b

Download Submit
memory/2320-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2320-1952-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download