5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
Size

50KB
MD5

1bb74bf022fa2aec70848b1604bbc4dc
SHA1

9ab96e87bbc56e46c7afe4cfcd40610671899c3b
SHA256

5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c
SHA512

c4fc7b6b2df4558ecf9d9c94768b70c68cb85d1e71bae663dd06a6d9bd0c3a9ac8bb481d770395901e9a8b84541ff457bc3668419e589c15712adb6f2ffd8287
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJwRJofJoToYvJtLJta:W7ZppApaJofJo8YvJtLJta

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Java\jre-1.8\bin\glass.dll.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe

C:\Users\Admin\AppData\Local\Temp\5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe
"C:\Users\Admin\AppData\Local\Temp\5597e288d530499094fd59fb5003a21738862c70dd412f0d83d95da5706aaa0c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
51KB

MD5
1e398a910753423d99a40bf82b25765f

SHA1
cea88681b04a01e224d3af1be3d0e7023a3e0233

SHA256
a7bb46ea8a0e179b46cc40c855ddf3b0992bc76b12c4547d74a57393feda69b6

SHA512
a7a6ca42e307f7a5151231fc523292e5f4c046edb24ffbc2a87f1dee63728795a36b6f8a6a501ac266a4990621990f19852c0cebf4db0cece87a2c67684fead2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
01f07cd9442b5bb6bc2b1acdece6a190

SHA1
d5a34d16f4f3aa37f2e30c2539e329efc97d5f93

SHA256
c0b5d638bf61ded8baf80edfcab3363d953e40901f3581490e40771f2302eaf5

SHA512
22282ea45b7037ab3afa47cc51314a6b3f4adbad28efaff97686fc2fa0564056d43ebad3e1333dcd1e66c72d08b31d74243846cc6fab17f9417bbd30751d6e6f

Download Submit