5f6658e930108fbd331f7acae16d8a89d7200c839b9f6257dbd798d97d111aee

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1037063c69e28ed658125f4ba18009a0N.exe
Size

91KB
MD5

1037063c69e28ed658125f4ba18009a0
SHA1

ade6c92b799670afff3aa84cb5aeec82d126a73c
SHA256

5f6658e930108fbd331f7acae16d8a89d7200c839b9f6257dbd798d97d111aee
SHA512

239417a17108e67048a890b14108951fb7441c841c70409edb06eb398bdefd3dbdab5308d6859a08727a07c4ee6b6944e10569905a0ce56028fa9fc6a9738514
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhJ:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4568) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	1037063c69e28ed658125f4ba18009a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	1037063c69e28ed658125f4ba18009a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1037063c69e28ed658125f4ba18009a0N.exe

C:\Users\Admin\AppData\Local\Temp\1037063c69e28ed658125f4ba18009a0N.exe
"C:\Users\Admin\AppData\Local\Temp\1037063c69e28ed658125f4ba18009a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
91KB

MD5
6d3ccdd2d704de5090b9308d6612ec0f

SHA1
9bf6c50826e2870505016b760e7fa0345af73460

SHA256
2bdbedb4f5087bc3cd8de4ffefae7da5a62ff8096bd60900a6da45623dcb4769

SHA512
db891eb5fbd803c51df80cd849f0b6278a9ae89854626d09d7de5285ad31c18608ee44bc5c21c3463508095f506623d2721a774fc8a73c7e92b577bbe175530d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
190KB

MD5
df74797830ab2998f9be52770598f1f7

SHA1
9300dd1230aeebbf0b3ba89be76a99945f244417

SHA256
998022b4c91d5c0bfefe9b42a6b2393ef2ea1e03cd56282e795266e7f76bf9f5

SHA512
e07d421782e5262694072d80b429fc5b13738c98d59da4235eb88ec21fe72c2543eb235ff80b0e629b1e5a324a392bbdfbb3a8334606ec315d059ee03118dfbc

Download Submit