c02e66a872fc1e131d97bcf038bb2026c69d0ef4571db77653911f65ad732e38

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d6a418aae438b8f1c02563789756580N.exe
Size

47KB
MD5

8d6a418aae438b8f1c02563789756580
SHA1

1d76d09b6d973938adf4a4d02f36690abd78a2a3
SHA256

c02e66a872fc1e131d97bcf038bb2026c69d0ef4571db77653911f65ad732e38
SHA512

ac08974a75c6bea125cc959045e7d4fb568152656c9bddf8c3f884315e5304a311dfc25c53252383d9e7b2cc1a55f41a115fa59518ec74a6053752888e3e94b7
SSDEEP

768:W7BlpppARFbhknrzzA8JQ2AdJCzA8JQ2AdJsS1101XZQZZ:W7ZppApkFS/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	8d6a418aae438b8f1c02563789756580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	8d6a418aae438b8f1c02563789756580N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d6a418aae438b8f1c02563789756580N.exe

C:\Users\Admin\AppData\Local\Temp\8d6a418aae438b8f1c02563789756580N.exe
"C:\Users\Admin\AppData\Local\Temp\8d6a418aae438b8f1c02563789756580N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
48KB

MD5
89811cdd30e78ab404ce07387c76b244

SHA1
dc8d2f505627f46725932a097ac5366cfae4d335

SHA256
31019826c2aece18332b165fd0f2cd1f0acb9fe98097d0c271b7e11b154f97e5

SHA512
6050f156d1c5817c3df6f2db612f95605cc8f07fa39948da2cbbb97e133cef9ac4ff0f5d54f499323e172a979be9088a8bb4d4a4161d10782f3e717f65f6151b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
fa818d986c7372cab6c90110a229ebbd

SHA1
aea8abde1a46258c9d3a20bccd3acac0aeefaaf3

SHA256
8ad3e5cb6df0e79582950337972dea284e762c2741750cdc79a8aeb37bf46cc0

SHA512
a5e5ec09d279ff447593f77d6e4e937b3e2fd704d5886cc8199a8882daf66683165766082971e09e2eecddc198f0bfa18623112a252582ce86abbc2a1b884815

Download Submit