c258c754a3982aaeb29a5aa779616cca56728f368b09b2ace6725e575072654b

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b47583e194ad2419ac76a8f63bdf000N.exe
Size

60KB
MD5

7b47583e194ad2419ac76a8f63bdf000
SHA1

f640f6f457cc3d0d3be6255befcc1f25afe53f57
SHA256

c258c754a3982aaeb29a5aa779616cca56728f368b09b2ace6725e575072654b
SHA512

633b880fac75097668a36a3a4cc9de8e61812157af0e621c09611770e78037e985b5f8a2ae906bb7ce2058eebb84945c14141c2e831d472690877e58c33b6f9d
SSDEEP

768:/7BlpQpARFbhfUnUNRawAlW1VkRawAlW1V4T7mJr:/7ZQpApfWELkL4T7O

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	7b47583e194ad2419ac76a8f63bdf000N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b47583e194ad2419ac76a8f63bdf000N.exe

C:\Users\Admin\AppData\Local\Temp\7b47583e194ad2419ac76a8f63bdf000N.exe
"C:\Users\Admin\AppData\Local\Temp\7b47583e194ad2419ac76a8f63bdf000N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
60KB

MD5
16b41df1e918ce4cd73a3d95bd3322b5

SHA1
ae580937b73cd64658fe467b97accf207ef3bf0c

SHA256
e9ccd4ebf8d67acdbc131719e967027ee6a4693aabb2bdba5a4b854615855522

SHA512
54a1e575d3a41594dad74e2538f508e25a05279e226e05186a34fd2f01b8210f1cde46113eded2923909321c994f7f9afd4d777f65cdf54e9e9d2c7af473fc1b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
159KB

MD5
b1d40ae1d5e0f608cad43638c194b330

SHA1
d4bce37a0f99a289c14b3cc201fb583045742906

SHA256
0f5f204c8df0199afa7ce5a85e8e17969cb0df11fa41425a757cb0ad89085f9d

SHA512
485c794fca6dea09bb81bb825f6305c25f4f47ee2c8dcbebe6ce2ba9ddcb0ba7ca0311099985c2d8108a61253bcadb3ccc84fdba6e82648f51ae06a63ade0ff1

Download Submit
memory/4720-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4720-1008-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download