550d0afa912c5573fa2382371988be84cc3d72d5410906894282c68d82042fd1

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d0641c0a73cad3678edafec3bbf560N.exe
Size

39KB
MD5

b5d0641c0a73cad3678edafec3bbf560
SHA1

7dd99182228b07ecd052e2b3d61ebc6552e61d7b
SHA256

550d0afa912c5573fa2382371988be84cc3d72d5410906894282c68d82042fd1
SHA512

c1b8a8bbe87f3e4fd92d2cf7fb5bb7be2690b38fc78522c0ccdf622e09bade6b704fcee66f0c9cc2a28b4fc8f0b27564436aeaca329e9fd93e654b763b99dcf1
SSDEEP

384:GBt7Br5xjLvassAgA71FbhvYD/DggNNHpQKMNHpQKMFwS:W7Blp2sspARFbhVgNNHpQRNHpQRh

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4672) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	b5d0641c0a73cad3678edafec3bbf560N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5d0641c0a73cad3678edafec3bbf560N.exe

C:\Users\Admin\AppData\Local\Temp\b5d0641c0a73cad3678edafec3bbf560N.exe
"C:\Users\Admin\AppData\Local\Temp\b5d0641c0a73cad3678edafec3bbf560N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
40KB

MD5
0fa77fe29d7177db8a65f80363cd9713

SHA1
64bd5e90b396745171b163062879bab6fd8acf32

SHA256
133943cfd0c47986c69136db1d683eca8ccab14de68f3fc15056962371a9458a

SHA512
1d038c4550a4188a89de35661ce6a5b09e5cfe5b47ca6cac6cdffdd5b25d3f89b1cd1a527502171fde207b13a9eae08d95170f9e841d0f1cf1ba250f371099e3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
0cf71e18cc75113a7f4073f03d2a3afe

SHA1
a7f3337e11529b00745c10c87851e238e2a8bd5b

SHA256
4fe7373086d603a229947801bf92d023494b524f16940e45163bd3e72e877c3c

SHA512
01654c8ce462b149274563c64e2b3bb2d068b5a7c90389c6c979de6e77f05266fc3151488501fa59eaa4c696b2f2652f22fabd18574e7c0de5595298aae39b88

Download Submit