a8538ea2a15bd4d1cfb79fca5276e0a626e0f60cb3aa7f74e80a873d952aee29

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

885ab5572c54b317c511a233c685b1f0N.exe
Size

51KB
MD5

885ab5572c54b317c511a233c685b1f0
SHA1

aa1040d0b77732e2f4d29c8c25eed329809d3c8e
SHA256

a8538ea2a15bd4d1cfb79fca5276e0a626e0f60cb3aa7f74e80a873d952aee29
SHA512

9ad790702ba365e3a671feeb98a35b5a76b17011406a3fb4846c703dafd65bb12a69c873d7d9d0e951ccd1267d54f0dda4092e074484b1b14863cfe03fa59a1c
SSDEEP

768:W7BlphA7pARFbhL801VvM801VvcR2+lJtZ2+lJtSsOU6:W7ZhA7pApw03vR03vcltdtSsOU6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4679) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	885ab5572c54b317c511a233c685b1f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	885ab5572c54b317c511a233c685b1f0N.exe

C:\Users\Admin\AppData\Local\Temp\885ab5572c54b317c511a233c685b1f0N.exe
"C:\Users\Admin\AppData\Local\Temp\885ab5572c54b317c511a233c685b1f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
51KB

MD5
252dbc7328e43a365d36abd3902ec101

SHA1
67ce383038b8f31c5c538a1b8cf71614561fccad

SHA256
6852ef94d6b049d2d98a263379050038df0632084099967475f28813ce9b8828

SHA512
773436644476e4694caaa0b1ded17757c74ba62581396ead8f229af8a0f0ee63f7ed7bd455371fee13af4d34e939b92ea211a7182c2624ebaa1f1175262eef79

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
4092c434bacd08391cb4660f2a6d6fd4

SHA1
1f73af4e2392daeeab684a6e4b1cf4e0e8af0ad1

SHA256
f55c5f45cce041759791a55055f2c40f296d5cd0be497d9f60644b40dcfa8f77

SHA512
be930886c50243ab452fc99c16954629790787525b49973f53cb3a4de548a6e401e03f29fd02be2a746083b30cb27e866c02348c932395c01c93ba1a4016317b

Download Submit