0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
Size

69KB
MD5

e5e128a6d29b1ff2d53d9d43cb9d7903
SHA1

e24fb160aaa3cc888b787efb579e5c35bf37709e
SHA256

0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6
SHA512

9ddccaa3c79cc5aea168db53bede9434b8d70b11d6a6468f5b23f0c096c659de817f7d72672a51374e4c73c29a911f190042fca339db57d6e6002f6eeb12dab0
SSDEEP

1536:W7ZppApkxUYU30NQn0NQaYepnpf64rDQ0:6pWpkc0NQn0NQiBXQ0

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5033) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe

C:\Users\Admin\AppData\Local\Temp\0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe
"C:\Users\Admin\AppData\Local\Temp\0755f8ae5d087fe8c72f904768981d1d1cd74ca3b2e6c04ef3797ad1b26bc9b6.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
69KB

MD5
4bc7d1ea9893d9e7367e99506f40b4b0

SHA1
1cd077e55705f6ee0215b4dd9265472d2e90b0b0

SHA256
7d511fe413c71dd9f0161e9adf53818d6265e9af8eb3484d0d8be78725906984

SHA512
c334f03014e6707255897310f6d1bf2e5a70f8e14027cc759830e2cc9fc5e3d2a60f806e4e32c623d1cf1de690d02f1db41f7cc3775622d40de9cad2cf986396

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
13bf90cbb292d9f393c973469c6e1c74

SHA1
a79c911e828523e20686575ed4928521b2aeb766

SHA256
901b98352691f19cc95cac55f71d43334762f68fa7192479b1247d220f190f6b

SHA512
ad98c836ba26c10127c79476dae5d3c517aea75a14a36dddc3a2e1fa0bf8dbad81ceef7e5fb92b320911aaaf009a9f7078a6160bbae2485cbe32c9932916deed

Download Submit