1ee3d23456fe1c22e798655d92e09cdb77d8fde191b0fd7d95b63fe0b5afedb5

Analysis

max time kernel
119s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

864e87ea02132bee0873b0c3bca03f80N.exe
Size

72KB
MD5

864e87ea02132bee0873b0c3bca03f80
SHA1

8e40d4e02791f4ddc3466af0c127500a227cd0ae
SHA256

1ee3d23456fe1c22e798655d92e09cdb77d8fde191b0fd7d95b63fe0b5afedb5
SHA512

226c1d8a6cec7dc08134260dff0e7bb6829e0fc6d145c6c3d052f98bd195f95e558d9a2197139c47c9dea5418ad66c6bbc96b43e9856638080423a3ab6c2cc4c
SSDEEP

768:W7BlpNLpARFbhblkYlkrt8PWGoPWGqMs1MsR5nd5nyQG+QGHnTVwnTVRiV:W7ZNLpApCZrt8PWGoPWGANdNykloziV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lv.pak.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\d3dcompiler_47.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	864e87ea02132bee0873b0c3bca03f80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	864e87ea02132bee0873b0c3bca03f80N.exe

C:\Users\Admin\AppData\Local\Temp\864e87ea02132bee0873b0c3bca03f80N.exe
"C:\Users\Admin\AppData\Local\Temp\864e87ea02132bee0873b0c3bca03f80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
72KB

MD5
f5bf1821defb7e1aa3b35c6ac2c6323c

SHA1
7853c4db70c498b2aa61e3458e7ef89f010a0bee

SHA256
f92f1a29e9be328464699379f20a9ae70b895266e59614532ec3ff2e606f249b

SHA512
0f4666873276c5a8378af34dd67c05d19a9241d31316191d262ed5169016f18933281d65dfcdf108bcb808b77ce4bb6223994f9b4dba004ced13b155f4e7b016

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
5d0938964fb3fd1e3ec2c5aee9f1becd

SHA1
57f73425bfa9ce8f33aa7d81edf46708add8131d

SHA256
f170ba571608a7a4f47b4ea91892269420bc30474745212e4f44a36a8dc24617

SHA512
2a479401377a9df806a9c7284ed8fa5c931a08651b99e2a38b03b5470a471d56d0165aa212b7e1ad8e6292fe0944286326e221bb62d574287bd9aa2afcb852f7

Download Submit