2038d3dadca52090b051fa15cc92678c1b8e6d7cb3d48e0684905c75e535cdbe

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0143b5b6d3edd038411c9215b242a580N.exe
Size

51KB
MD5

0143b5b6d3edd038411c9215b242a580
SHA1

673e106cc3e3da4c8e208f875b53e96e51a57089
SHA256

2038d3dadca52090b051fa15cc92678c1b8e6d7cb3d48e0684905c75e535cdbe
SHA512

39e85f2bd0e36a53c7d38b8f1a5530e0f02592da0614ec9c35c392b4097d589a464747a69ea50ea3bfb728f55cc7c7dd51d2f40b756f873700ad2eb322a0f1f8
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw1VyjVyfxAkJhxAkJU7AiPWiP4:W7ZppApyVyjVyi7S

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	0143b5b6d3edd038411c9215b242a580N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0143b5b6d3edd038411c9215b242a580N.exe

C:\Users\Admin\AppData\Local\Temp\0143b5b6d3edd038411c9215b242a580N.exe
"C:\Users\Admin\AppData\Local\Temp\0143b5b6d3edd038411c9215b242a580N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
52KB

MD5
ce928ad829f024e4d6a0fa1a35aba79c

SHA1
b1dbd8198b8cfca06ea52aafbc46dc94113dee8c

SHA256
c801c1619366f932f7f1d7b00dde6d2b4d369f78f569881c68f06074682b3cec

SHA512
c0d0c0123e16caec53f5729f3dbaf8ce2851e7367b8de5fe59c7c6a7fbb869f197575f826cb5af9fa4089872726a7ac794f97318f9308d3a70c3909683dc9d30

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
151KB

MD5
d2813185527adfa36cba8b8ee8affe62

SHA1
26dcd6e083af14765c3ec7f91d011ef2f116de04

SHA256
54dc0f6fdc7b2b3b1d8d97d94e47f44a5130585a46f4948c09c26b4ce9adaa03

SHA512
b10061a63440422e919db442e5badcee028cdf583da06666749f90e64644e97cc3aca7d710a165a08227afe3cd6599679ec3092f19b07c24b4db82523f1be203

Download Submit