8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
Size

91KB
MD5

5dc02d3263d826e962e53c2b0e10aaf9
SHA1

7476d174beb6ba88b79d8c6b91878105158b86ac
SHA256

8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6
SHA512

003c31b659828256359e323c139c3873ac6437e09853faf866cc0cf1f3bbd9d2361fe989d91541385b3966425ee1367ced0055467705fff31d0a4ad559ed6fed
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEh8:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5044) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\DisconnectSearch.lock.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe

C:\Users\Admin\AppData\Local\Temp\8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe
"C:\Users\Admin\AppData\Local\Temp\8255e4a872a441ee803a29ce613cf0102f41decd42f36e97f5670642937704c6.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
91KB

MD5
46c87955b0f82029fdb6045eda958c68

SHA1
8d6e852c3fb16b90eb7213775af8e61abe736f49

SHA256
3ae3863661d0f0ac03fd7ed18ac595f65dd078a05f1ff33dc457209f439911b3

SHA512
4792bafeafbb0bf2efeb6ce310f728473bce2d90e94a69ab4f0d57c6925ddc11e32afcdf64d006c2ff3685ff7bdabf15a644cdbbf6b8b6966467652d0ab3fd25

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
190KB

MD5
b377a80c629e39e12a49a9da31c74bfd

SHA1
a706a80adbb86a18a05278bdda8bb44ab8ac38cf

SHA256
c6ab944f6da3bbd3a8b29b99bdeefea5042841f5f7d8eea5c2b45491756328cf

SHA512
e24a1f5099473d76df93e63cb47b26b0197d534e93c2ec1e55f13b5c412531a2233115c9f42f9d48eb76d64405ef4af1c3957883a47c1767a15d93d693e682a5

Download Submit