1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
Size

36KB
MD5

a708f35d7b2ba0201fea61c93fba9bd1
SHA1

41a3fd42e1fd1e69988fc163ba4c28e9c580c243
SHA256

1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a
SHA512

9b1da750530be910fb45ea92f0a3d86022d7a4f84dab4fa06c8617785b9265e18ce247a04d1a1fcbdbecb2d8b4fa87ae1691f76f508a46599c9d1f7b2721e3fa
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHhpqW7U7OB9N73t9N7M:yBs7Br5xjL8AgA71Fbhvszwu9NDt9NDc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5335) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxT.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll.tmp	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe

C:\Users\Admin\AppData\Local\Temp\1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe
"C:\Users\Admin\AppData\Local\Temp\1298c210f292acf32b745d982972b2117d819a34b4527289425baa7c1973cd3a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
37KB

MD5
5ca0a907fbfd976aa9584481ef041832

SHA1
35843dee0181b78545c62dc14ce1c9b35d352533

SHA256
72c391f7ae928c915fe23ed41287aecdc61a637630057a6b5a0b94daa4644e68

SHA512
a573b22f85edef042733d45540b8d86fd98b7676bbd13013668aa486bb74812a36027f5af036607a105c153b746d8c7477ed31a90c6322b5d5d5bbf0be27f121

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
cc64cb1e7ad60385f1e557ed451ea041

SHA1
5cad0a3575917984495a19ca589730d0da1636a1

SHA256
4889361ec0a893c8234b9197e50ba963b465cd319245fa057f6fabf58753a849

SHA512
1c5d9cc1befba9f0ab9e1cfaf0ac3e9c4e23e25bedc87c1417d8f317995b706b9ef1924da21f611d34d6fa22c678449e03e3157c10bef2baabf698e836867106

Download Submit
memory/4776-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4776-1012-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download