619c5de367cff10bae9afabd41e7a985103666bdaa43600f3bce6f77080dc216

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04def4ba661cb4d52699356b09e84f40N.exe
Size

65KB
MD5

04def4ba661cb4d52699356b09e84f40
SHA1

2b774af16b0a91a02917f3d3e8b5995339b0ddff
SHA256

619c5de367cff10bae9afabd41e7a985103666bdaa43600f3bce6f77080dc216
SHA512

b5ee51c7c0ea8bb6b7b58286a1d96f458344ff219e7bbae293f7adf8755109569af40dc622bef526dc3cedea669b895d385ce24cdbb10c95e03439ea85d95ff8
SSDEEP

1536:W7ZppApwEwnmJARJAaXxXNJdkCKPuJdkCKP1:6pWpUnDXxXC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5092) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPRESOURCES.DLL.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	04def4ba661cb4d52699356b09e84f40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04def4ba661cb4d52699356b09e84f40N.exe

C:\Users\Admin\AppData\Local\Temp\04def4ba661cb4d52699356b09e84f40N.exe
"C:\Users\Admin\AppData\Local\Temp\04def4ba661cb4d52699356b09e84f40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
66KB

MD5
b1f9ef610d320961ff88e962e3bbc8ee

SHA1
0253f58eec5d1dd69d38f95b57d3784e6ef69cc4

SHA256
2d5a2fc53e90d128535cf11ed9ae90748722d07d90a163a39a9e5cec30938127

SHA512
58fba15b45db11edf127abac1e083de2d57cad992a43aeeb381657548679f3af7e8caaf73bff2449e9bb486426c589bd8ae11f5dd082244d03c7a889a5fee722

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
164KB

MD5
7b21944f4336f69f3154f6d0a44bd94b

SHA1
a85bb842832dcbc986ae386097e995a3e647405c

SHA256
aac6f5a361111237f231d916083dd6e1afdced9e7f5c1fd88d98d737d6ccb8e3

SHA512
b895c6e43ece025483f60e476d41e8e78c40e6902db6578c7c487345ff6525919103f9a73eae5fba490efd93c5767dbf1489170ad1f7f46a45555df6cc5016d7

Download Submit