8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
Size

32KB
MD5

a6685246b9b71ee3c1c36335fbdce17a
SHA1

b21a21969dda2f69538ed8c6eb14284f0de29cf3
SHA256

8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332
SHA512

354e3e07f865fbc0fbc6dbf36cf6afb6f8ef1ac63d369a12d76e3a4416fd3b882a52cc4a7d9472eac06f60131a2e0859c2f9580b77fbec1d66bde478e645c31c
SSDEEP

384:GBt7Br5xjLvassAgA71FbhvYD/DCgAgT9L:W7Blp2sspARFbhO9L

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryLetter.dotx.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALN.TTF.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ClassicPhotoAlbum.potx.tmp	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe

C:\Users\Admin\AppData\Local\Temp\8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe
"C:\Users\Admin\AppData\Local\Temp\8064a258b9bd258a8f32842108f4db9b74300aa1fa3685dc76ba8bbe11de0332.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
33KB

MD5
60ffbd47bb7697f8bfe799a28dad7863

SHA1
351a8a0c0dd26b3fca85ce893f309a7fb4986d65

SHA256
e3a49c2d2d447c0351f6ead38184fc46a5ec33b762218d66e5604c0d26198eea

SHA512
e23dbf27620ad88329aa41973adf99fbce8e839acb91f33b2af17d9d2868a7652e8ecc900a819ff47a88753feb5c093b52d8b0b017d76159dcd075d142e97053

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
131KB

MD5
60b2fa4cd895f14b5a1433efa5bea614

SHA1
7b84c5c17e1ec2c2093756dce17fe1f78faec27e

SHA256
261bea8934bcea98151011d003a02b16093f89551c6076bc14de2b70c5418978

SHA512
d0664d9f5607c3be17aa0e8295643b6f8dfc6b3e336bbb1e541db72dc902d78f995cde22aec36f6acee57bd8e88eac31eb224f1d053210ab7820162de610390c

Download Submit