fd4cbdb2d7a5d692ea205ef07b31a421615fb77cf8b4d2e54aa2485fecae9f09

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b416c7b78bb55f5801f9996e5f522040N.exe
Size

38KB
MD5

b416c7b78bb55f5801f9996e5f522040
SHA1

8431148f8b8267d95c3afd2a4677da1a18894380
SHA256

fd4cbdb2d7a5d692ea205ef07b31a421615fb77cf8b4d2e54aa2485fecae9f09
SHA512

315f5a33de2790f26c05cb3aaa25ee4ef15be3a85eefab29f37ea8abaacf6e0196ad5c3b84aba23114e3312fbd8bc11d6dc1d795d2df4d63fedfa3f83a10917f
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lsSr:W7ZhA7pApM21LOA1LOl6vSr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7en.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\vi.pak.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	b416c7b78bb55f5801f9996e5f522040N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b416c7b78bb55f5801f9996e5f522040N.exe

C:\Users\Admin\AppData\Local\Temp\b416c7b78bb55f5801f9996e5f522040N.exe
"C:\Users\Admin\AppData\Local\Temp\b416c7b78bb55f5801f9996e5f522040N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
38KB

MD5
9cb2fee79ed4234fe8277ff8438022a5

SHA1
9d15882bee8163db52b65b4e2874911ea03d3a4f

SHA256
ad7a076329a4204c7e315a9c3492cd8bb2a9572853b4e59f3a722a602b438fab

SHA512
686a9c602216881fc2c9328cd37073f73dd36c5625bd7b238a8c33ab961f00944a869dbbd407d7c11d93632c3d796f37150373ae240acd93a356d61b08dfd4ad

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
d6b10362b94d71c4b21509bc0964257e

SHA1
daaa4426f69f3db6c0a3cb12b2bb0474c402e6d2

SHA256
4c2d2e61418f54d3ea419c99a6f1640c3521eef2e9fe0b89109c3d2dddb64a6c

SHA512
3a959dc2a0e677c01dec5269455edd6359a706ccac767721e2da92c4d2f86885b649df51b0cb112f46ef447a81f7703e0fa85b360df2a187dfba31c81959cf38

Download Submit