4baf095bf78123f73f19d5078c478f0fb2f32bc100d4eaaa81cc8e2e710e3abf

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2668b14d5865c9eb3a76c920fb312670N.exe
Size

39KB
MD5

2668b14d5865c9eb3a76c920fb312670
SHA1

10bc1c0471495410bbc59cc9adc4a7496d9c2a57
SHA256

4baf095bf78123f73f19d5078c478f0fb2f32bc100d4eaaa81cc8e2e710e3abf
SHA512

f40493d35b9c4f85f2fbfe1743d365c4e694cec12acadbeb47409213e108d95c020d0186adc849987a517d482db52ab0aa2035b21b3bc8104860940e8cbf3852
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1j1AJh1AJA:W7ZppApBULcfpHLcfpSo3fS

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4675) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.tmp	2668b14d5865c9eb3a76c920fb312670N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	2668b14d5865c9eb3a76c920fb312670N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2668b14d5865c9eb3a76c920fb312670N.exe

C:\Users\Admin\AppData\Local\Temp\2668b14d5865c9eb3a76c920fb312670N.exe
"C:\Users\Admin\AppData\Local\Temp\2668b14d5865c9eb3a76c920fb312670N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
39KB

MD5
de27fc5418a4551d3c354dcbe736d827

SHA1
a6e9e9f9be47cb7e469d7e172fd2d29a8373ddea

SHA256
7d99bfcc2edba2b429705c4aa74f6ff2667bb9d6a4e0172fa8205b4f21563c00

SHA512
849115e5a3bf0b77c43c8af3dfaa03a2848564d12e2cf0e6654ec9813771e40866fc23f8432c52e8097136102b90c2cf56bce9bf402931a951af99cee1d3fec5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
607a3b8b25893c7bc303d26d211dd4ef

SHA1
a0a7ed3964eb4428facf8598c3ed99b66f55726d

SHA256
fb6d45d7783099deb2d463cde35e58b989d40fbd104c2f70b91a0beef20806e6

SHA512
bfaf2f12ff0bdf99ae5fc75d8640568a8795e84c218953e803aacc2157cbe3dd054768300816edf1db10cbe4baa7d9f0f1a4cadf0c11b365009744f94b3fe975

Download Submit