0b8b97009c2c4da5f71e85daf6524723d555b130313178493ac6bdb1a38f25c3

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

705b2be48b2c398c80f195d1ffc72d90N.exe
Size

40KB
MD5

705b2be48b2c398c80f195d1ffc72d90
SHA1

8a0424a8ebd55cf8830ecbce7ba936783c732d67
SHA256

0b8b97009c2c4da5f71e85daf6524723d555b130313178493ac6bdb1a38f25c3
SHA512

ce40c56ae1a99684bb87f9145614e99652d42e9b692415d727c0b9b89a68c8aaae04f1d1a6c203b3e497c06441ff6aee3a26e65d63b0aa9e4ec456acf6985751
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1H:W7ZppApBULcfpHLcfpSo3fJ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4668) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfr.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	705b2be48b2c398c80f195d1ffc72d90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	705b2be48b2c398c80f195d1ffc72d90N.exe

C:\Users\Admin\AppData\Local\Temp\705b2be48b2c398c80f195d1ffc72d90N.exe
"C:\Users\Admin\AppData\Local\Temp\705b2be48b2c398c80f195d1ffc72d90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
40KB

MD5
03c4f8f0505cfe878c4e782c0c501c49

SHA1
73db38e44e656c304f207a508defc206b144b33d

SHA256
4587dee13cbf168faecccd705ef3b8592c6c31731a945f390258f7e60e48b14c

SHA512
4b0dc5aef122ec74bef554672f206922ac289e5a942de688b5a29f1dd73204cb1b27a9d0ddf5b70856aa402bd00bd648283696ac8c9baf4f8a3d2f3f64ad59cc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
c19549e78ff05edf28f41262aa71a2e9

SHA1
9566cfcde22780f2b136cb447de9008ed0cc0bf5

SHA256
4f115f993ae823d1b78b1fd8a0d0b5fe533075b0839edc265243e265d4cff337

SHA512
0e44ae98e40726a40183a570e6d57b99ac876baec1ffda68dbea953bc6571f760967d8c98ed9e20407d92cec808876a0ef1b123a561c3aa2b571605556186bab

Download Submit