26870c6084ac096243f219778d506884a53a2952e48ad119222e45b9dafeaf21

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82a620f5b49347b05c42f36f3a62d580N.exe
Size

94KB
MD5

82a620f5b49347b05c42f36f3a62d580
SHA1

3199a2be46a01568d82a63e95e5c2afdea79ff1c
SHA256

26870c6084ac096243f219778d506884a53a2952e48ad119222e45b9dafeaf21
SHA512

93c0c2b4be6c0a689060c716eda5da8f9ea04820708923dddf554d7a9a024b8fd2315fd76fa631c4c4351cfcabb96f0a761976e99e31b11cefc31f27168a9ecc
SSDEEP

1536:W7ZhA7pApH9QHwtRF9ESWu0SWujodsodaNovTW+SPL+cycWAF689ilYp/Dop/DG:6e7WpHIyRF9ESWu0SWujKsKRsP9fVL9f

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4362) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\cs.pak.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	82a620f5b49347b05c42f36f3a62d580N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82a620f5b49347b05c42f36f3a62d580N.exe

C:\Users\Admin\AppData\Local\Temp\82a620f5b49347b05c42f36f3a62d580N.exe
"C:\Users\Admin\AppData\Local\Temp\82a620f5b49347b05c42f36f3a62d580N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
95KB

MD5
2b0be17bea62f4770c0590fe442dab26

SHA1
beab3e3e454896288ee67ec3dd1c260941693007

SHA256
a6639bc8e40ea2e93ce7aef2b2db0c94f559e587fd3369dbe94a1ce0c39da29a

SHA512
7eeb7dcbd5d22f1551f32e8031e21e6ffa3acd5a83fa0c7ddbc7892e4ddedfc5643aa1665d3350cca8866aab956cf43b9f034bbfd16a35e3c605b97bac080a45

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
193KB

MD5
b1c519be834705331c683f17929e4169

SHA1
7a335212b7abc51282f5aa755f1e4db3a0d8ea32

SHA256
8662771c2cd1b2ce93bde3a6968230ca5e880677b064971784416994a7e67ece

SHA512
54e68a41bbecb940a3d118f156e21d7e52f094900fecfa5fffb94cbc865bcba0cce0ae108cf293a8e614c835b5faaf6bff2f62bba224d7f2d3614381134faaa8

Download Submit