19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 19:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
Size

56KB
MD5

48565b3b8ea51fb3d3377745991842a1
SHA1

0ae69d91989ae78595f8c94d188d886478b865d1
SHA256

19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176
SHA512

373a3396b843f3a6a374f06d6a26b29ae8ffa8df7308b69b822d9142b6287a783d8867625385879845259b7bd5975a653b6bddfda02d96397773363ca26c7d8d
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw1VyjVyfxAkJhxAkJ/1P2vcAivcA/Qh:W7ZppApyVyjVy21u1E

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5114) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClient.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.tmp	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe

C:\Users\Admin\AppData\Local\Temp\19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe
"C:\Users\Admin\AppData\Local\Temp\19dd99ad0f017a17dfa078a4c9acf6b81e04b0477c0a9ca5c71269a538cf1176.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
56KB

MD5
9936c2e751e432e7c91c388ed0f63c29

SHA1
2da0fe21ad76cc80ba6cf8c99562245021543c96

SHA256
16a2bc5e3a05edd5b6a3dc67ff9d4159a818ecb0b5ad4f583a9dbabba0edd33d

SHA512
567c1c90147a2854f0d6edc3edc905e8958ef69afe2b8eb866168053228ba9eaa0f2f35d7a43b626382ca621968d14a408858c2b3d6511dea106ea85a83ba4ad

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
e56316cda822bbbf37ce8d164a3fab48

SHA1
e67f63a1085304873100e43ec0aa1d8f48e01ef1

SHA256
c7238253d1743b8145ae0bff5b378e7b76744b068a97b6894bf2fcddcc3b02a7

SHA512
150b69bf13da298a5caa6b3f937937517882d9b643e3aba25d06bf1a53dab6aaefd40d6497f683b2a5f7a5a90b7c926138714b963e7bf97c44b656a0d168217e

Download Submit