778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
Size

52KB
MD5

561ed89c3ab87ce3a34d78d2ce230d83
SHA1

35911b72b8a6d8f4de9412c3acf9038804c0c8c1
SHA256

778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b
SHA512

60c592ad9f7919cbfd4d4bd66c34af3be6f31d1442de4b5571719781c42dd2539fe3e8439924f07350a9463a22c80f4a287b3f96c95e7273c392289fd09adbd9
SSDEEP

768:/7BlpQpARFbhq1KX101je2/Qdme2/QdAe2/QdDe2/Qdme2/QdAe2/QdA:/7ZQpApq1w

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySite.ico.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnv.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.tmp	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe

C:\Users\Admin\AppData\Local\Temp\778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe
"C:\Users\Admin\AppData\Local\Temp\778b29fb3570e62114e29dab7c2e0dd7b1fd3b1b65df0bf9f546b1abdd59970b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
52KB

MD5
96383f81bc9b53a545ab23713675fb3b

SHA1
3266ca2d8e72ae2459a8a6e4d616978037ae1330

SHA256
66c74dac3f66fad7832bda533a476c240e07f1a69c24a04531cd9910d10dbf96

SHA512
4cea1e4435d4c78fe81062dc2df09b2adec6d64d89c884a917077cd9d2b940c070107973012b1f05c567523f612e1d46bbe150bbaa65af82f727e61a767d2cd8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
151KB

MD5
066b71ad538fdd6a49f7d1797406c0e1

SHA1
b41534d7a61f559b090d7602fdc5b82b1a862ff7

SHA256
9f62b6666184b5a671ebb11a2ed20f6d1d4c93605f0614053dcff2a7347fd16b

SHA512
48a4ec62067106ff5106d85d0304f4be92c154bf88965f06fa72c951b7453034cc0380cb4c79c688efcee7432cbac1adaee022762493de4e5523b7a2666d2c6d

Download Submit
memory/3252-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3252-1972-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download