1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
Size

38KB
MD5

13b73e26ade1c2c9f69d75b6026ba945
SHA1

bc632eb426714c31c1c3248f8a6b94c95af380af
SHA256

1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a
SHA512

23044f8a19e3891364aa95a79b0cdf4069c5d3d2f44781198309ac307890a8e4529e74d8375ff66dda1a50fda8cd36ccc7c73c5d1be70f8bd73dc40c2b270275
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzrYcUYcr:/7BlpQpARFbhNIrYcUYcr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5282) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYM.TTF.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe

C:\Users\Admin\AppData\Local\Temp\1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe
"C:\Users\Admin\AppData\Local\Temp\1473ecccdc524754919878e5b3b047b75c0f589b53344d260b9bcf58f228278a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
38KB

MD5
6432495dc3f0170414b200d764928320

SHA1
1c3dc9146112215a9b6c8f6c382ff2ce1c5cd6b0

SHA256
a2d640e13e310a13dd10d5d79e42d85708974c4cbedd1a0801452cebd92d383b

SHA512
9df21dc92cb6fa27f288e3873e669bccc02ff6302f4ff4bcef35a3f241665e6b3e4c5c15b70157b5895700deee87c9edb3b2df07facfbb008e5d40b7ae253559

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
97fbea8f1091af01798391b31a1cb95f

SHA1
793cae9956bbe4aaecc70a12fd3825bc0081b825

SHA256
ac87a99146aedb64e4a30157c980bdb6dd72f9a5ea98419ce1dabcfe713bf42b

SHA512
2b20020c78b2866b9443be8181993af2346160dd9359b13ec33158d897606cb400534c1abcead4bbae8ef1d38dbaa7d591a7a91c68f41a7e5ed21fc95f3f8754

Download Submit
memory/3708-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3708-2020-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download