e1e9e7c4008e42d3cfc05420819f96f978f40735dcfcb4a2b0dcbaf6dccbd97c

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85bb093d5caa0551a96a2ab593bae960N.exe
Size

201KB
MD5

85bb093d5caa0551a96a2ab593bae960
SHA1

9b2ede624d82eb71e7f0c6420f560a0353955453
SHA256

e1e9e7c4008e42d3cfc05420819f96f978f40735dcfcb4a2b0dcbaf6dccbd97c
SHA512

e958c3afefaffe7b6be4c04da44b799e398ffa228f3c45ea86a63ecdf095b76953c0535a6cd0cecaa76a4814f0ca3060b40c0b7ca31ca6778cb08899f1cfdb0d
SSDEEP

3072:6e7WpMNca3rytOkWpXfnYRl2l/9HSFHzJ0lBJTzkT:RqKB+tOkWKR0iJ0lTzkT

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4116) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	85bb093d5caa0551a96a2ab593bae960N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85bb093d5caa0551a96a2ab593bae960N.exe

C:\Users\Admin\AppData\Local\Temp\85bb093d5caa0551a96a2ab593bae960N.exe
"C:\Users\Admin\AppData\Local\Temp\85bb093d5caa0551a96a2ab593bae960N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
201KB

MD5
c07dc99fa8ddaa1552c2daf73d185b03

SHA1
2738d07f87c94782c2b4f480ff996accb310b4db

SHA256
b3a68807d9ea4442e4e38869dc22f945a50e04a4e5a6e17f00f71f70e87c3fd1

SHA512
f5fabc33a208cc468ec95831cd9beec5f42ee5e2b07ab83a1e1ad0a7002273b079c224410e0275a749a1cdeb601e4c5553ddebee29594b64812c218cc0a05caa

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
300KB

MD5
bd8330b20a042d0d03d26e9110978645

SHA1
c44acc66068778e94a9312b5dd347b43abdd68ef

SHA256
bb30b4b802c445020bb8ede2a3dff20f9eca83375e7542728fb9efa3e2820255

SHA512
d56046f2f847a1d21b45c317cf34d3da72f2e761ba9d76ba91893e473fa59331cbc69bb0f5e2be7ec73486da8b8fa8710d803e53612771fd69900b7841e85390

Download Submit