048b4c98c915f6380adf17510c71b9a1891bc2c3ee66236274aab40bdfce9ca5

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85b068e6abff0df5b067373be8ec0cc0N.exe
Size

44KB
MD5

85b068e6abff0df5b067373be8ec0cc0
SHA1

0b4a237173b52bc0961fe46e54e942666f67c64f
SHA256

048b4c98c915f6380adf17510c71b9a1891bc2c3ee66236274aab40bdfce9ca5
SHA512

7797e4f54c8bd642d44a8d20f8ca29e0cd2103210999658324233f406f57ac3d7efd51120087014da48d8cc390e3afe355ccef0b989fe663bd4e96076d489f4d
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJL6:W7ZppApBULcfpHLcfpyDF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	85b068e6abff0df5b067373be8ec0cc0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85b068e6abff0df5b067373be8ec0cc0N.exe

C:\Users\Admin\AppData\Local\Temp\85b068e6abff0df5b067373be8ec0cc0N.exe
"C:\Users\Admin\AppData\Local\Temp\85b068e6abff0df5b067373be8ec0cc0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
44KB

MD5
dddbd320e3a740615f0f40ce3a238eaa

SHA1
ed5f40d46f556b0c4e4248d460992f1443b6e38c

SHA256
d12cd4721c89f033e3734603710af074c6fa21f941717f38239d67e4f9a836cb

SHA512
0d9503b8f5d65df1cbc56667c99489bf66efb77feb9948a37aa0ebf9733cbd2f766950bfb0ecdf809baf773681bc44becb9a7c6a2a1e8b28a3ea2db988457d97

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
b4647013435ec36d32241695013d932f

SHA1
4662690ee477f4791cbe7538f251058cc97dc55c

SHA256
4db9cda43ff029ea176fd08f45a6abc5f9554377c11cd7fdcfcd46daa7e1d804

SHA512
410048013c0c59b0188fa1b9769d373bcb06d9cbb2a7c3fb6ca697e9b92a29cf310bcc8fa451e0c8e0fde7076a3e1d020ce3ee88cde74a1e8f495bb48c2ef0a5

Download Submit