5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 21:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
Size

43KB
MD5

de9f852dede85f112e316e43936d9f66
SHA1

0e6a10823568a551373ce8142e01f6797aa662ee
SHA256

5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef
SHA512

1e8ae10640850408df1a0dc737702542aa1cf2dc4a2c2bdb7c6ccaaade888d154eeffd8ca0e24a40110da1c9c4fe65c5202db227681d575bc6e002b8d73c2233
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpNxAkJhxAkJb9+BSBmBCUK9+BSBmBCUKJZ8N:W7ZppApBULcfpHLcfpsMkPMkDJhiJhc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5286) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsFormsIntegration.resources.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe

C:\Users\Admin\AppData\Local\Temp\5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe
"C:\Users\Admin\AppData\Local\Temp\5b537c34b70db41f66ce0dd93776a6a2cb0017820c4fca3f6153ac368f2a8aef.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
43KB

MD5
8be73bdf6ceedd67e8ccbce4eaa18841

SHA1
6b2fc25f73514fbb3a26c30a546129c79eab3d7e

SHA256
d97587b623e732b73fb894428a23d44d0fa642d08eb1dc0765838fb2acc19b5d

SHA512
113f57c5131a4ba2204b53c44b951977f87513d4f8f771dc88d9deb18107828ce1f5072f6e24ada9689195b675340580bd880c3dfae643e2a06a01dfcbb7a94c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
0d31b6f0dadae49f2865e62080de1a05

SHA1
c8a1d6e2bdfd6c25ff93618d0ae7816451fd7baf

SHA256
102c27e1faef25951f3e255bdef1aa6d0342e63a5c75852dfdecd69d71084f58

SHA512
52a238a51dec03cc78a116fc506afdefa444b7ef7d14319d1fc12354023f037b131c3ed9430648f24db36886389857431379a7cbdac912264d4c48be85afbe9c

Download Submit