ea73ff3462ca3026ff193090e9814d079b3d1c2a291ab22e5cf99d024c83c08a

Analysis

max time kernel
120s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd97662f54864bd644960a2e0cf524b0N.exe
Size

45KB
MD5

fd97662f54864bd644960a2e0cf524b0
SHA1

916ad9f84d09b7c6205ffd994992ce7e30774636
SHA256

ea73ff3462ca3026ff193090e9814d079b3d1c2a291ab22e5cf99d024c83c08a
SHA512

dfe56a5848fb4a1c60376d76d03cd6bd1be99becaba9e508b938eed4665611fc18ec9d15cb091dcd87f84f27b2aa2d55f8573aad7c71b77464cc353df92fbb97
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1Fhi/D5zf6ydyf+abMkF24kzK3jN:W7ZppApBULcfpHLcfpSo3fZi/D5zf6yw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4686) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sv.pak.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	fd97662f54864bd644960a2e0cf524b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd97662f54864bd644960a2e0cf524b0N.exe

C:\Users\Admin\AppData\Local\Temp\fd97662f54864bd644960a2e0cf524b0N.exe
"C:\Users\Admin\AppData\Local\Temp\fd97662f54864bd644960a2e0cf524b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
46KB

MD5
dd0a2fcef28516372ad3862550f27635

SHA1
001c5d7e04fee0cb4b2d4e8c408b6bc244a1110f

SHA256
bb6e6910b7e532aa50cdfcaac9c919c18209b37dfdaed33d3cca913838d170a8

SHA512
ea9d83b5ab7e986f2e10de36e6aee1fda23fbe46b2f79c3b4e0ff0ab8fa01c71616914a69561308920f441548c3f104f8788bd6a5582b52f7da551d93b5bf518

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
6a66f6dc16b019a9be344c1ab0ca9bcf

SHA1
dfaa8b1848cc91819ec4d1cbef84d600813b7434

SHA256
f71728a2bfea6cc72174d3cac7c7736922db86dfcb70c387641e6a31a94b0de4

SHA512
eef9806fa5c31fe7e90c41d519db618b32290a2f5a60efebff7d88c3ac8468ccd580f45b3ce3bce68fd68bb90f8f4371131d175c11a46c4271c04902973466ed

Download Submit