a5906a643bc4f35c6b909deb4123dd1dc05e5244aa14c3e72afb294522a6dae9

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ba6947ac3ad4838f714509ca5fba380N.exe
Size

72KB
MD5

5ba6947ac3ad4838f714509ca5fba380
SHA1

344762f98e1a270f10b581f0d6499ce314b79dd6
SHA256

a5906a643bc4f35c6b909deb4123dd1dc05e5244aa14c3e72afb294522a6dae9
SHA512

a472f61d7e386a6b8df03978d64a271a59002a99e9db7bf264213b65bc1e0d1238eedcff769b65d1baae4eb67653fa73e8019e1779f258afa415dfdc02af2192
SSDEEP

1536:W7ZNLpApCZrt8PWGoPWGANdN+hEwHwDvZvS:6NLWpCZIzjwHwQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\EnableAssert.edrwx.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	5ba6947ac3ad4838f714509ca5fba380N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ba6947ac3ad4838f714509ca5fba380N.exe

C:\Users\Admin\AppData\Local\Temp\5ba6947ac3ad4838f714509ca5fba380N.exe
"C:\Users\Admin\AppData\Local\Temp\5ba6947ac3ad4838f714509ca5fba380N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
72KB

MD5
637cd88539d0c3a041ccc774b83348c7

SHA1
08494d9962204c99e0f9802a5e2b48a63b00c75c

SHA256
f8a1acd8f3bac6efdd9a3ab39f1d85fcb681755e4a129bc9e6d83631c809cd8f

SHA512
1f40144d296fa1a7f6caa80bbd797f7cf06ee75600242fb6bc636ef3539e066e82e2cd947175b52be53eb89ad0ba5ae9d1211dd43cd2c9cd3283548664f942dc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
38cab3f42f6fcf697b6caaa1ab7f3bec

SHA1
743301cd5fe6abd880188a9df60a89a7aa8f42ee

SHA256
b4ee67727d7a449e6f8c4c05448df695c181d988804df0a26db7c92dbf2a927a

SHA512
2bde84fb013cda809373b4cd1fab51ac1d4388a2f2c24af3972c7b68b22109a2bef4ab0783965c1640fbc59a2e8986853c08ee53b868fd1e3e4bf835d4fac85e

Download Submit