88b67cd22f9393eae632f6a808d98e2913f5c37f39448658add4b094e556fc37

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2180a6af8c8f9bcaa8cf33012cd5040N.exe
Size

50KB
MD5

d2180a6af8c8f9bcaa8cf33012cd5040
SHA1

871f9119df235222206b8fea8efecdac1cf57f24
SHA256

88b67cd22f9393eae632f6a808d98e2913f5c37f39448658add4b094e556fc37
SHA512

f5e6f175736860d673dc7b6feae93cdf1362265c0d74e2a63c7e826d2579f8fc560147c8071711e842da76c17f0ab90c2d4149b3174b61f83293ae9395fd04a3
SSDEEP

384:GBt7Br5xjLvassAgA71FbhvgqHqMjL4jLS/3MMf/3MMy0U0czyKbNzzyKbN4cyEu:W7Blp2sspARFbh5YSfffynfWK9WKu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4651) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationTypes.resources.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	d2180a6af8c8f9bcaa8cf33012cd5040N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2180a6af8c8f9bcaa8cf33012cd5040N.exe

C:\Users\Admin\AppData\Local\Temp\d2180a6af8c8f9bcaa8cf33012cd5040N.exe
"C:\Users\Admin\AppData\Local\Temp\d2180a6af8c8f9bcaa8cf33012cd5040N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
50KB

MD5
f1f5e17660e0b31095d5a37b31684bdf

SHA1
535abfeee1b578ae71225713145f9efd4542fa2f

SHA256
c8b8135829ee0b33155582d40840593f7a903d8a2e3932bc2764bfc807c75b3a

SHA512
1b75d5bad3373ab42391cf811b460c493ef37f4f0457caafa9d152a82e3e6732ed158542a9164f1450fcfecc8d1f6a625279d63c37e61393a585369a42c024af

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
60adc367d78dbf7c0e369dbdaa841578

SHA1
2c696681c6b60267d82c2573c0335c0b66e63c12

SHA256
5150a89285484c6bc394f92fb7644e08b02b71b6200d7c7796676744c50e6146

SHA512
31a57399004dc22d4e0afe8d3396d87ebb11bc9e2f087e3815a61c0f715d07604bc804b4a40e6a61d306240dd17dc9e15b8e4a113ab241915069ec7b60b356df

Download Submit