78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
Size

258KB
MD5

ce56cf0728474160a584bd295c9dc9f9
SHA1

b35d4f1e199a4080c2bef96857e80a7d5231eea5
SHA256

78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3
SHA512

d55fd5e947a02357e4ede2e48e7a71f66986f4da0ca039b5839fd5eb6976963631ceefb4cf269d0c6b1f2a77ebeffc840e38a81e2365d2a207f432ca746ac110
SSDEEP

6144:AonmhNYRP4V7bh3tspT4uK3Lp/lDHxY+a:XnmhNYP4Jbh3tspELFhHja

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe

C:\Users\Admin\AppData\Local\Temp\78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe
"C:\Users\Admin\AppData\Local\Temp\78ea863a5fe951a387f9feba18881f8eec9b8c6f4ac4d0c1cc5d08a259635ea3.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
258KB

MD5
7387986985b13f2374407123f64d6e83

SHA1
257855c1cf5da23edc120ce0f9b6c197eb3d5086

SHA256
a8045e18a396b3e1e2d6536502bba9f39c6ab656d99543824aecfd78b10f2b34

SHA512
4135fc44505228a789985122126fcf755004b42d92bb656f0755b4279d90b0187b1ef4a104621a99b702ecefabd2fdf171f174f9d21c40f1cb5b38f4c500e625

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
357KB

MD5
265900c84d278e9c9c24a4dfa8c5e879

SHA1
6a9bc0c31b11dd42bd122f7f49e742a3f7ebf62a

SHA256
254091f89eaccc3f3c97b8a25202c9a2fe45329c050482eb00746eb664361b3e

SHA512
cad32a4969a6bbe92607ecb0c12b2b601852844d9f8325bc11cf0cb187adb028b1d03e6d44e5ae9810c467a782db1f60d5f5fb44633524110e1c95fb297edb8e

Download Submit