59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
Size

57KB
MD5

105c5a70b0664635775c74e5857b2e9d
SHA1

89d4161db2717f2532ca47f472de508215f27695
SHA256

59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d
SHA512

a07bf91e36d19317d5cd1880b0c9fd5a2c4d9c6fc0f93482f3bafc7ceca27929d1bd35be119c96bf1a785d1ad6faa7fbd03e831fc7d36f28b6e0d517eb49eef3
SSDEEP

768:W7BlpppARFbhknrAqQ/Q6JYAJYMMF/2AxXxXe:W7ZppApktshJYAJYDVXxXe

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.tree.dat.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-REGULAR.TTF.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxbgt.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYM.TTF.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe

C:\Users\Admin\AppData\Local\Temp\59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe
"C:\Users\Admin\AppData\Local\Temp\59472ac52a0c6d4ac8e8804b0f5ee3c759596041474f59c08a35aa93104c0d1d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
57KB

MD5
61b64561f6d5777256f3a77468ad93e6

SHA1
948f3230db4376723d2a3645d98ca0cd282096c3

SHA256
ae12fb20b8d4dfe3ae4b5c7e61849ba7c5a40138be8e96e8f14e8cc93e47fa13

SHA512
85ef6c5da5f26a7c78b1e5d1218d15fcb2f5aa38f425fe6dee17627914e5d0a6945583c6a48000348e338ebd3b46ec6490a16e111eff00a6d935480bc05f5649

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
5740fd1976a188672ad4acb3c6da9e9e

SHA1
4867701a0297df44c6a0fd9c51c618475dbb18d1

SHA256
b74ff98e775c1adcf66716906762ab7372c6af38a84bcccbc29c2f3d23fae16a

SHA512
7da65dc894f4a43d60fedb28e47d112b5e53e2ad81757689038eff9bc557486c2a81cea4aede4f4dba3b11e469fd3588e486ea37f3f92870edbfd895d538da22

Download Submit