82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
Size

29KB
MD5

2ece5d4ea2150ab05c3f16c59661b36b
SHA1

b2aebac8cf92c56154bfe51240a1083420ed20d4
SHA256

82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622
SHA512

07df40dd7f50b647dcaf809c647f5979c72fdca38fd4fb3b0e564f4afeee49d7c77e3b192ddb93d027cde6acc20d247d113747a618728f2609e1cfaa8848794b
SSDEEP

192:tACUADIY0Br5xjL/ScAgAQmP1oynLb22vtPeGyvyq1iGyvyqo:GBt7Br5xjLfAgA71FbhvtPch

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5241) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe

C:\Users\Admin\AppData\Local\Temp\82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe
"C:\Users\Admin\AppData\Local\Temp\82d26562fcd1112f323e887f968fd22df7b571f119ee5ea9702cd880f72a8622.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
30KB

MD5
6c1a87481b6680fbae14641b83767518

SHA1
90c8b9fa8d5567cc07a7572027c56eec4047d68c

SHA256
0dd2bbac8146713f7b64c5db6da65f85502fdab94219558901ffe2c4c5ad8c8a

SHA512
51547dd747d1449b6851daaa20473f118501c983f0f1a79ea1c90b0bd5f4b45c4bca9f021361934ec011f65fdc35c85dba6e2f2b3f4b26a20d232cd895dcddb5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
128KB

MD5
e068ef720887f32cdb04962710ae04d0

SHA1
4221c862f673a17502f9f8f317ed6cf290906e99

SHA256
59d6a45516fcd58a2f775ee23196de63b3ce692cf317bab33e2ff693b7d39658

SHA512
f1175ed71b9b8f215c542eafb4dd38b5c4e5c1b0bd1c8fb8df6cef73565feb86ffd988150ee86a600b4e7b2a8742ff0b510a97b87b34cd4b0372c0ff377c8a8c

Download Submit