30231296ac93f261b0be0781d2cbe1ecd216a2732afbe062b57bc44201bdedef

Analysis

max time kernel
119s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 13:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

573862e668f22b9d63c0cd2a5afea5e0N.exe
Size

44KB
MD5

573862e668f22b9d63c0cd2a5afea5e0
SHA1

24ff8ae9c3e17a0c3e712343bcd7a12638608ee0
SHA256

30231296ac93f261b0be0781d2cbe1ecd216a2732afbe062b57bc44201bdedef
SHA512

19db7c16ee4cf2c35d0f375f0fbcc5a540ae51ebf2e0fc3110c28892c2e9e217a0de4a27833fea413b77c6c94bc0ded3a7ae85b4d60ca351510b636cd97be5e3
SSDEEP

768:W7BlphA7pARFbhOm0CAbLg+sVmdGwmdGE:W7ZhA7pApH1+sVmdGwmdGE

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4675) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.resources.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	573862e668f22b9d63c0cd2a5afea5e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	573862e668f22b9d63c0cd2a5afea5e0N.exe

C:\Users\Admin\AppData\Local\Temp\573862e668f22b9d63c0cd2a5afea5e0N.exe
"C:\Users\Admin\AppData\Local\Temp\573862e668f22b9d63c0cd2a5afea5e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
45KB

MD5
04ea2806850a0de233f01f4ae346de0c

SHA1
74a91f401f4bb6b34c5b91b7ca110b6ba59d82e1

SHA256
740e82cdb55cfb62f6a9871b01231a8a9eaaabad960e4d0225d306503f5ac11a

SHA512
9a212b33b1d6ad4e5e86731a72029018af4aa62dd4f00bebb79b7c094cc28ee388edb297a86ad9b5287d4bdbf563aae853c035071599ff7e3effc2bef6545e12

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
c1d497961c1ee483b11531a83d2a600c

SHA1
bc499f02d52da1c943790bc4c530327141b156e2

SHA256
1e104a235d96aa9ac01c0b8c65e24fd20b7333ba940ed08da54b22f9714ef529

SHA512
dc43e03a80b7e2f8851a3048fc50f2a98a35760a285d0e5943befa5de830133e12864e90103b59ead8213d2a8e7be69d0fbfebfcc7ef13987e4b1a00acfb26a9

Download Submit