4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 22:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
Size

54KB
MD5

deb03f56440888625399111744bb03ec
SHA1

e51c35d8e9f21f4110ec1d018fa54297b02f7215
SHA256

4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1
SHA512

acf29c66802b992ef57229d237039b6e96e2c4afea10aeab1cdba3ac9cd0a54fcb404d72479f74c48211c755c44b1c6654a3e162fe05680aa265882d06bac894
SSDEEP

768:W7BlpppARFbhFAxC7ntkntV/E+BSBmBCUK9+BSBmBCUKD:W7ZppApryJMkPMk+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe

C:\Users\Admin\AppData\Local\Temp\4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe
"C:\Users\Admin\AppData\Local\Temp\4c05536a7d5bb572df1a8fe24019f632612b73d18be3317c5b7a136d0d28b7a1.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
54KB

MD5
c7d5b3b8270073867a1303a7237f1faf

SHA1
6494f12716219854ac662c4d00ff338e1d541810

SHA256
1a69dcf114f9875be49d1e102db558b83cf398cbebaafa119715be077b6ba70b

SHA512
2e83d9d45bf4d3cd220cd7cb6d1f9311225170fa16e2924d630951a278032ca3f252ca73a06b31bde592f94f8b35b5872840f26d54cc49d401f91fb993862aa3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
c4c270287e34651c6bc320af414fd562

SHA1
94d319738288db342314d512c15898ac872bb61e

SHA256
3c56aab5f96e746c743669d4ca90144928a51e7f77e1a2b890e6fc6be215d95b

SHA512
87bc88ffe1e3e072debac0bf29f27c779b41375b5b08c0eb9d7423d9d0f742f8521aa87b3741118fb7ac9babbac5046800ab28206bcb5c46d37c0fe4700e8c2a

Download Submit