564be74c1723a29771c1d91026b14d538119452572fce76385e5dd1b14f834e5

Analysis

max time kernel
120s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f452b2a4185304ce627e56f6b45ba5c0N.exe
Size

68KB
MD5

f452b2a4185304ce627e56f6b45ba5c0
SHA1

e8b1cdfe02e1f3544762ec266764c79766d9bb37
SHA256

564be74c1723a29771c1d91026b14d538119452572fce76385e5dd1b14f834e5
SHA512

e016b328705b0750025c5bd8ba9e2640e6316d19afc166ffade26de39ee0e2eb37f672b530ead3a974962f7082f5e49770de3d348624e80f7b82b45d5e678b9c
SSDEEP

1536:W7Z2sspApkZrZ4+fU7lK1lKT8/8aPtPfGJBtJBc:62ssWpcU7lK1lKgkEn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	f452b2a4185304ce627e56f6b45ba5c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f452b2a4185304ce627e56f6b45ba5c0N.exe

C:\Users\Admin\AppData\Local\Temp\f452b2a4185304ce627e56f6b45ba5c0N.exe
"C:\Users\Admin\AppData\Local\Temp\f452b2a4185304ce627e56f6b45ba5c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
68KB

MD5
113542c76a4292d62f896c4caa9adc64

SHA1
ae4c7a8bb60515d4b6b4273b362171aab06b45cb

SHA256
0fdb49279f4a738d612a9a065bd069279d755ff901ef837dcf5f76a3a5b71b7e

SHA512
a308b4c45f023e120afd640f4885c6ecab2dc63c5437076c7b1ec68b5deb2ebe3837b7986a7a3eb225653b1187f8ac25f18c402db75807806a55788b2b859206

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
167KB

MD5
9682069109e92d4bbd0930237b2d46cd

SHA1
da1c04e1e519c2bed57c815f8e60d7594df7050a

SHA256
4846ce76deb8deccded7d5b53f727eefd2605bc9fff310ebea061ad1d7861e3e

SHA512
e399b26fae2cdcf502cc2937a0e79c0c35cc9aecbdeefc76fd662e31fff0a5a94070584b25bbdd24d242384ac5da8ffffb25a73612f35a345fce9e88180fdce7

Download Submit