f78e1c42cf052a7507e790528be608af66709dde80c70c8f9e06f94dac3093a1

Analysis

max time kernel
120s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41a503a19fb187feb2606d60d3b99d40N.exe
Size

47KB
MD5

41a503a19fb187feb2606d60d3b99d40
SHA1

e8adacc67c3e4c21a7c17e10d410252ece41879f
SHA256

f78e1c42cf052a7507e790528be608af66709dde80c70c8f9e06f94dac3093a1
SHA512

4947df6736e4d5a4b317ad301bca04de3cb00d1fa8d64f6272644e8159bc68b8c8cf9956768232e5d2f9251c4e466e034cf17773b2b3fd49fffa2e5d5dff2884
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJwNqikTqikkvPVvP18V:W7ZppApyqikTqikp

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4649) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub.tmp	41a503a19fb187feb2606d60d3b99d40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp	41a503a19fb187feb2606d60d3b99d40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41a503a19fb187feb2606d60d3b99d40N.exe

C:\Users\Admin\AppData\Local\Temp\41a503a19fb187feb2606d60d3b99d40N.exe
"C:\Users\Admin\AppData\Local\Temp\41a503a19fb187feb2606d60d3b99d40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
47KB

MD5
76be3bdd662535f992383e542319203d

SHA1
4fc668bc9259a5cc10fbc059c775df16ef04661d

SHA256
e476d59ce74150aea7d5a3b0dcdbb8e036c98f41a9959f6d9d2439b1a2f70032

SHA512
0e26d90a7b078a3c6abdabc599bebd0f5536c1e603fa33e6ed3147a5b14db9412e0ca9e7b9483b7d7814351637d249e51505f624f55cbe5dd368d29d2d0d5755

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
467d588b6958119135d3c2a85725321f

SHA1
5246647b916ee9952e29f09d8f608a27535bd511

SHA256
91a5841b1694ed7b85fa42d41fd07f2af36ab35778b9df33a735e09d50a13487

SHA512
103d7418353fafc2c448825fd3a2bea389a5a92143af0738be63650f90c03bbe0fd89af954599214aafa953106db2146ac98306742a5cf721157204d6ad00c79

Download Submit