633275f1ead34452af53ef80564a3532d1dfcd1914cddd7c17027fd668d6d562

Analysis

max time kernel
120s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
Size

73KB
MD5

d1b0b84514d5d2ded77f12e3cfeccfb0
SHA1

18718197f013d4af9864208610160423edf1eeab
SHA256

633275f1ead34452af53ef80564a3532d1dfcd1914cddd7c17027fd668d6d562
SHA512

71976fbcb22c41dfc1c3fd691fda061e97f1dcb2c33cdb3585ec2af13c77d4195da55cd55e60694627ee34ea73c0b0327d91383ac406d23a0ac19032d09c1e91
SSDEEP

1536:W7ZDpApYbVK4vx4PN54PN4OHepOHeZSmXy:6DWp7WR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\C2R64.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1b0b84514d5d2ded77f12e3cfeccfb0N.exe

C:\Users\Admin\AppData\Local\Temp\d1b0b84514d5d2ded77f12e3cfeccfb0N.exe
"C:\Users\Admin\AppData\Local\Temp\d1b0b84514d5d2ded77f12e3cfeccfb0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
74KB

MD5
9c0cba6b45845f0335065998e1164f03

SHA1
9c048747ce8a0a463394351248c34c4e048ee38e

SHA256
fa28e70e1151278f8a5b6fbc5d2f7715cc288e9b45cccb23dbf1525acff18fb1

SHA512
7fa5c4aa08e931511bb789ba3b2a7e4df1cc8a25faef047a45edeaac0946607a2f5ffc188a80e8058674ea8ddd9582f48d33462c432f85fa1a64c9cfff4fedd1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
172KB

MD5
350dde404132b9f275b5e4c7e32488f9

SHA1
4976271286472087e9543e5e7ee4742834e19865

SHA256
2b73f42e0e8520b3b0d0d9decad930e9b8536ee2eaeec05d5c145a7e4643e325

SHA512
a813d1823290bfa249b756ec66e6c937e720cd1f61bd7cf5d7990740b39fd4bb2edffeb983789054f126cc2f9b8d24c4618a8d449cc71660bc1bdeb0b41bdb39

Download Submit