75ece0b5ab5c591b433f1b9f25d7e096853562a2a3a9168ead604d141191c97c

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b682621d5ce0a83a35c1dd4e2d8ae620N.exe
Size

92KB
MD5

b682621d5ce0a83a35c1dd4e2d8ae620
SHA1

3c47545139779736f821265f071f86c3f1af45fd
SHA256

75ece0b5ab5c591b433f1b9f25d7e096853562a2a3a9168ead604d141191c97c
SHA512

ed371beec026e8480b9e8bfddb45ace38941cb5c11f4f3d20f73b268ec913060d2f51c7eee7f66b4221bf2e598551663bb0074712f357c6141a1fe84548a2604
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhY:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4321) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe
File created	C:\Program Files\ConvertFromCheckpoint.mpv2.tmp	b682621d5ce0a83a35c1dd4e2d8ae620N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b682621d5ce0a83a35c1dd4e2d8ae620N.exe

C:\Users\Admin\AppData\Local\Temp\b682621d5ce0a83a35c1dd4e2d8ae620N.exe
"C:\Users\Admin\AppData\Local\Temp\b682621d5ce0a83a35c1dd4e2d8ae620N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
92KB

MD5
5bf997d7e3abe6d5ee1a4ef284f72f7f

SHA1
a700bc7378a2fed77dd69230926ed94b46fa7f46

SHA256
64d9bb16840d57df19014ede71c7642fa6f5cce9ad69c25e133f5700b746c9bd

SHA512
fd21b885023955bf889819a079d5b7c09c5473b863389e226bd0f01083e86281d6b58eef3ddaed6a440e4deb6ffb6f02b3fb1a7707238b95d775457ded951d27

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
191KB

MD5
1b371a06edf3ef4fe761d098a2c90846

SHA1
0cbfcc64a1c6342dd8fdd7bbc6dc11d6a4efaf5c

SHA256
61e5c1d6544c586dfa99da8cd246ab4f5daa67d12605ef2e3cd3d2e4c9befa84

SHA512
cd1b8ee34979a46f48b942f46296a9e98d4deebc4a4ac279dddaba93519b2f17a83620a6534286dc9304780a3fe8fdf64d8187b0664ed96734afb8cd4f57d882

Download Submit