41bb86f9debca83ece854cd6005be37c9308819ff5484a9d82be6580cc9275ee

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90202593001c5f6a66b02ed8ac482580N.exe
Size

44KB
MD5

90202593001c5f6a66b02ed8ac482580
SHA1

fdceb9a1008b7fdcfdc69f4346d87c5cc03e4c4a
SHA256

41bb86f9debca83ece854cd6005be37c9308819ff5484a9d82be6580cc9275ee
SHA512

79498e5d235d76cc7b328cc08f4e1ac83c88e5a8b8d4c60cb14f9e1363e70e454ea8b17ce83c7066011c887adfe73e4b550d0ae86b3e0180333d7ae0cc4d84a7
SSDEEP

384:GBt7Br5xjL9A7AgA71FbhvnwR/s4Nkq81LOyq81LOUqKqeUESjSkgX:W7BlphA7pARFbhM0Kkq81LOyq81LOd+z

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	90202593001c5f6a66b02ed8ac482580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	90202593001c5f6a66b02ed8ac482580N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90202593001c5f6a66b02ed8ac482580N.exe

C:\Users\Admin\AppData\Local\Temp\90202593001c5f6a66b02ed8ac482580N.exe
"C:\Users\Admin\AppData\Local\Temp\90202593001c5f6a66b02ed8ac482580N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
44KB

MD5
d372004ae5971095f291b83d6daef888

SHA1
4a03a5f796ed60d526cb97c3dad96dc423c1833b

SHA256
5d5ff690e20d3e52105f4137c3ebbaf7a42f5c4c79635c1b27fd515305ab945f

SHA512
1ead7850c1fd00a58222f14aba07e6840392f194ce33fae929522fcb06d981335937001f1075420537b57b6f49bdc3d37fa1eaf1166e14731ae8ab6ea261f28a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
546146417f2fb7bc84e04e4670b22494

SHA1
7c631baed28c0e87041c5d2bbbcb2f07571e9db9

SHA256
595c28d57d8a6d57a0fcbf3ce02edaddbac8e7e869457890f295eb357d1ea401

SHA512
2814636b4ba7808b90e5230be62094364f4adbd3ab52efa5a7f3c0bbc2a33e5db128538e8aee30321e4451a3f61ecfea303b3af23c09aacfcd41ebf487260bcd

Download Submit