522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
Size

76KB
MD5

8ccd501b0bcda9d47bc20f3f50d7f0ce
SHA1

4597c83b29ee194e8b290bfa6310cb812db51358
SHA256

522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7
SHA512

e919d13c34c42396495803403ec0ef3f329557de8cf6917c0b6f9e462037baa7f566e7faa753fd623453a594f9527584e3fd5637e3daaef71265fea1bf8f89df
SSDEEP

768:W7BlphA7pARFbhvOsTKnKqtb4HBZjlwGpCYnigugqOzM9bdifwMtxEwJjlVki/mN:W7ZhA7pApvOsOKM4HBhaGwOQ54xEIjlQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5034) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicudt53_64.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ko.pak.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe

C:\Users\Admin\AppData\Local\Temp\522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe
"C:\Users\Admin\AppData\Local\Temp\522e30f93c172d2d4eddbcea4d2d6f3070f01c508465ef67d110204fc64634c7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
76KB

MD5
fa28b389289d4dc0f1454e526b496f13

SHA1
8a625cd0de38c7fc5608469e65f68311db7f3926

SHA256
dd235a003f3bd411c82b2c15188d01fff10d62370612803c07bac307c638f326

SHA512
d8d9141f66313d1fe35b08ca686ba13cfaa2c6a3f3afabcd2b2813e0869d3a36fc6d097cd77bb13222837517652b6dd2079fc070716a67571b458fee4f6e0754

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
175KB

MD5
9e39b01d165f689faf6e77a5ba2fd594

SHA1
a62c7435d4c9bd5cf50289879b63108b31b6610e

SHA256
c15e3d35d3943a7b098b520b216e70ce7512d446b21bbd8a197d3a146d2855f7

SHA512
4cbcb364cc5fca50e3939bb798ac43f115e647f8d334cbbb5740358afed130dcb67e81623cee4c55da4d82b907a5d9fa84767c2e6479b3c0e34ef34e8481673c

Download Submit