7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
Size

50KB
MD5

079ca090fd286e3a70943704716f4192
SHA1

89aaba3ba1900c919db124f35ae830dbc18a7160
SHA256

7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d
SHA512

90d08f367597d6a9f7dc7e2b8cdc0cb8a071d9a0d3a752ec7ad08d52ee46da0902028f241a4e0ca868f78e23e4c66d9c49f140e9da7a522e284211b09c8ef1a0
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFew/DbAGw/DbAXoVRO8iJfoVRO8iJ3M:W7ZppApBULcfpHLcfpyDoAI96wXwG

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe

C:\Users\Admin\AppData\Local\Temp\7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe
"C:\Users\Admin\AppData\Local\Temp\7b444f473799eaa25d4742ed919ff0a6cb31a2c4c5d62203f784ab5a7f36ed0d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
50KB

MD5
7b3c6697e1fcaed3d030bc453e4cf5c3

SHA1
f16d367cd682f3b3337c8b0bc81adb90309d2cb8

SHA256
114465a55ef8198a29d380a10312e1988fbb3254c36127133b4de690047a33a0

SHA512
716aeddbfb4d0cb79b1afb3f5cc20c704525157d1b72aeb80baad35b6e4c1ef68e4b7f77029b5b25f4c0c9efb9c6a4aec9db6f83c1c250407d9b8266d74a71a8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
c256f00acac091e3743139f8b5147f37

SHA1
1ee04e2b066bc11e8bf42a1600e3df178b02eb30

SHA256
c8bf4c035afcd027c5c5e85acfca353e5123c85652fe23fe3a7800c41e0f7c6a

SHA512
8807f46643fb99e52fcadc32cff2d3b94de2c9c406024ddae446e25a6d30388c0f9b26b4069c17fe3ab95327f0ad4aa4c380cdce74b1bdf587545ad3035459d6

Download Submit