45dbb4153d0fec11e38930ea826616ab1dd005dc4ad074c7e6c5b2428c6b0d7b

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55f4052b71794b2ef7e86a6d2542c090N.exe
Size

35KB
MD5

55f4052b71794b2ef7e86a6d2542c090
SHA1

42501f81f7620f1f6851f78c918526daabceb69d
SHA256

45dbb4153d0fec11e38930ea826616ab1dd005dc4ad074c7e6c5b2428c6b0d7b
SHA512

8dcf4b359cf2103143ff375ed9e441882bf2198248c9e23bed0eeb8f210ba9f4ba761e4abd5b2550926c5549beaebc15855ae3c0faed5bdae1de5cb4dd5dabf1
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhv3KueKudLl++KKdXd/Qy:W7BlpppARFbhjbhPKueKudLw1KN3

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sspi_bridge.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	55f4052b71794b2ef7e86a6d2542c090N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55f4052b71794b2ef7e86a6d2542c090N.exe

C:\Users\Admin\AppData\Local\Temp\55f4052b71794b2ef7e86a6d2542c090N.exe
"C:\Users\Admin\AppData\Local\Temp\55f4052b71794b2ef7e86a6d2542c090N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
35KB

MD5
c5b654c845d450ebcfbd061dde601296

SHA1
ee63c2a804152a620996275598589a186a2f4700

SHA256
1b9ee6cda60b99bdeb19e42adeb2c87eb322f8d553e2e2101e9b14c3139f279d

SHA512
e648f19726916d6bb659a58c0d1788663be282cde11a79018c5fb4538dc0ef37614c90f7f8e302d19477a2b41dd4c836e9b4b92f797b29e897be98816e72ef23

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
134KB

MD5
0e55369a409b08ec99ae08741e93dd73

SHA1
e2d71a98cf7d74627b54bc6be7742555e5e53ecc

SHA256
ecf8a5acaa7f4b32d6c2c3a2b8e5d223fe24ce65382a91e674829bb7952e5ff3

SHA512
f9a25c0a26a6814e6e9d4cd44f0901cded94ebd33581c4e3e1c167b8f953634ac6284edd3daafd751423aac5fe093ca9f62b87dac6f2f8157ace93df908b8008

Download Submit