8a283b2371e0a9bc77750cecf7a52da0f989671e111a3d4cdfaa876abc259a83

Analysis

max time kernel
119s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f595cb4b509fc658ea57693e674a0cd0N.exe
Size

103KB
MD5

f595cb4b509fc658ea57693e674a0cd0
SHA1

becf34913e4cfad7a40b6dc7978b2d2f883b31ad
SHA256

8a283b2371e0a9bc77750cecf7a52da0f989671e111a3d4cdfaa876abc259a83
SHA512

297792d2558fcc528e28613706ba2b5004165d177f1ca2a4c6b23250e1b64f370d9df8234f65ac6b29e82efe8349bff4e614c5716e91856d44008e3c0e2ac990
SSDEEP

1536:W7ZDpApYbWjIlE77ufL2e+efZwZQ/8S/8z3MLHsk:6DWpwE7oL2e+efZwZ08i8z3MLHsk

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4369) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Resources.Extensions.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\d3dcompiler_47.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\tr.pak.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	f595cb4b509fc658ea57693e674a0cd0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f595cb4b509fc658ea57693e674a0cd0N.exe

C:\Users\Admin\AppData\Local\Temp\f595cb4b509fc658ea57693e674a0cd0N.exe
"C:\Users\Admin\AppData\Local\Temp\f595cb4b509fc658ea57693e674a0cd0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
103KB

MD5
cfaa8375cbc3fb173ba3ab23a4f0142b

SHA1
cf8db248236149b5ba99151516656bb7f377e396

SHA256
0d6600f104ef57bab916e9ea96dec3948b8a86f2c66274b378668e5d32020009

SHA512
9907deec90e9904f11ff26d054649d9bf30a9eeac050a1cdc6dccc2d9bc56f51273dde960148f5ffdb7fc5f5a3de06f63fcd704daa28e13ac549ec5c07e72d61

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
202KB

MD5
4e820536078492520a144e7ae8cc294e

SHA1
4ab6a65d00b453342f9dbefef50649da5804b122

SHA256
d05bd4945c4afc88bd5d5cb94b8674d79a1862e9fe83e5c43b5e2ca9b67f6927

SHA512
333555336ac1caf091eba27d55395cfe728e83914d5de98323958a90507b2fb7d100decc91a1995969c22e3e82f19d791dd8e9a45b8569c77b4f2c3e3cb33017

Download Submit