25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
Size

34KB
MD5

cba647afb4e9bb6a65b5d04024e303c5
SHA1

00d98652403e7fc597febae9a9594bb81e4c0802
SHA256

25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797
SHA512

dbe301b29b0ae00a2f64c0c2a313cb9fdcdff377724f38e3feb7d9bd4b08bcc6214b3a961870d7b96b59c09c663c937d76c84605b4f32cf3144b7d84f35ff08e
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhvo42L5FgAytBpR42L5FgAytBpUs7sW:W7BlpppARFbhjbhg42LcfpR42Lcfp7

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5335) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\concrt140.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFSHARED.DLL.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessLetter.dotx.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe

C:\Users\Admin\AppData\Local\Temp\25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe
"C:\Users\Admin\AppData\Local\Temp\25347288d30dc77ec571ea0762558b29d6eecc329757d76cd1fbb540af21e797.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
34KB

MD5
97651cb0afa7c483405fec8312f03e48

SHA1
cc91f57f28b06f96f86cccb385940c07248ecffe

SHA256
1f341d8298331cb56f05241ac407f65d6477ec2baa70787894380fb226f2da47

SHA512
f175933630d8e8e7755d54f52715392362988474d126b514039cb33d0b773db12ba0d1a9a86c64926e336899b58425fa73e6a2ef0a4cfa2f0328caa0afc67436

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
133KB

MD5
52e83d58f45fe3064241e675b7b45ea9

SHA1
60c110a68aa32f84abf58ca6c0e57f02b715b23d

SHA256
bea178f7b921d02f9e69da858c5682df5ecd51adbd1fd050988383b8d499724d

SHA512
fd0c4a509e28676a0a252b4352d73c1ce44e7b9e9673e1190b757a9ec397b5359af36a5342c081bf1eaaba550c488cc59cb2fca7fca324499732e54a77b0c5e5

Download Submit