c30229ea9fddc6b957d71747531be5af877475bcc8e1264276c75855d6ffb8e7

Analysis

max time kernel
120s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

978645f104b7e01a6268b4d1ad29e390N.exe
Size

84KB
MD5

978645f104b7e01a6268b4d1ad29e390
SHA1

96e17c71a49c21fa25272b792ad49c21d34b443c
SHA256

c30229ea9fddc6b957d71747531be5af877475bcc8e1264276c75855d6ffb8e7
SHA512

de7675c38c9af2d0487f49321838cb376c70608d1315c624c7a959f6560e3f6d8e8f0e5bd5b7d84e90c13c1414830e7511983b83d6c6350c99dbfd5e4efbbf4f
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+eTdsdD:6e7WpMaxeb0CYJ97lEYNR73e+eE

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4620) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\kn.pak.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	978645f104b7e01a6268b4d1ad29e390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	978645f104b7e01a6268b4d1ad29e390N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	978645f104b7e01a6268b4d1ad29e390N.exe

C:\Users\Admin\AppData\Local\Temp\978645f104b7e01a6268b4d1ad29e390N.exe
"C:\Users\Admin\AppData\Local\Temp\978645f104b7e01a6268b4d1ad29e390N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
84KB

MD5
ca269e9dd5c2700097710c42d64f5f23

SHA1
5e64089f03601f9cabcee6cd73d6fa4e909bd6ed

SHA256
0a85d51d55151621f1f601d9b62f752c03124099b2fa56b724b40e70fa017db1

SHA512
36e5f07a6561f9583acbdce34ffa8001b26bf9460be073cf66a2f96993a8eb332595047533ab4a6ad2c3fcb06d82e0e7dd5834b05cee423abcc39e74a6813a37

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
183KB

MD5
3f18f35e1e853b6469891104fdd78065

SHA1
197a8b63c3c9b0e36258570eb7b23ddc715bb99c

SHA256
1f7a98839a4273f13aa4ef891cc5ea6eb9d4ac11acd06f36c55836fa594d6504

SHA512
9c7b8915491f5fff28115babd6aa44113ac487df352b8df8849ada1f1808721f72f47dd4764e7838fd6f86fd209a9f1c2df75e375eda2c192f7c18bd3c0bd086

Download Submit