65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
Size

45KB
MD5

92f2383a42000a1493ee75c3d64bfe81
SHA1

020702b813e5f252761ed0dd493b6b41dba0897e
SHA256

65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd
SHA512

2c9a80f9c144f24336ff85158fff26a0969b2fa6dfafaa302e08e73af954da6b56dcaffdddc9d95382d6cece26c863f8993f64e06984e6da51b2b9447a9e4e03
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpXfxRfx4bc:W7ZppApBULcfpHLcfpXfxRfxR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5292) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\PAPYRUS.TTF.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationFramework.resources.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe

C:\Users\Admin\AppData\Local\Temp\65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe
"C:\Users\Admin\AppData\Local\Temp\65c7d18bffb4c02159e3a346b3f5980a2da09004a6d009271df82ed9d5066bfd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
45KB

MD5
5e88c5d1df3acc8a90a102ee3eae97b6

SHA1
d98f402642527dd34f340dcd3f921f737046dd04

SHA256
1c09cd31132cdddd9dfb9fb0bc412a0c85c3e4420b44d61a9ef256ac4d9809a7

SHA512
c2a72868821229d8a4986ba4be609cdf733489c99bf05cda6be15e82af1fc9c632fac75b4907501412e8d179ce9bd6ebca544153ffa50e1a3e82d219cd876943

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
aeb234143fe8fa8de7903a77ffff5700

SHA1
988f8ea8482354f811a579c2b90f7b4e9a6ce904

SHA256
a66e7480b9d92aeafd52757ae4d2c4d2c2ae802e52a188150a55def7bd3ee61d

SHA512
83a8be1998db29bd0a7a96e17be2f8bad48e061dee1ccaa6a0e4c0c84e29fe297d5e659fe00e1fe4761e3c6f7c8fe091bbb7710b9775c28edbb267892a8e8898

Download Submit