2078503cd02f6794a16738701069f5e02929b742dfa360472f507c7fdedfb250

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 14:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0597096aef42929f1d23520381a32140N.exe
Size

42KB
MD5

0597096aef42929f1d23520381a32140
SHA1

98b433e91c687f6428a2e53da9d049ba01fdd9bd
SHA256

2078503cd02f6794a16738701069f5e02929b742dfa360472f507c7fdedfb250
SHA512

01f17bc7c2af9f6e9c1da8e022668b7ee6e71f075705e9d1a5dfc7012bc51a9e9aa852fd367b485f37b28635eb66fda36fc61825b8b0706780d5b62ac3a9827f
SSDEEP

384:yBs7Br5xjL8AgA71FbhvBfepj3cfepj3KtLJilqGelqGa:/7BlpQpARFbhq1KtGFGa

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4915) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\LICENSE.txt.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\kn.pak.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxbgt.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	0597096aef42929f1d23520381a32140N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0597096aef42929f1d23520381a32140N.exe

C:\Users\Admin\AppData\Local\Temp\0597096aef42929f1d23520381a32140N.exe
"C:\Users\Admin\AppData\Local\Temp\0597096aef42929f1d23520381a32140N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
43KB

MD5
d1ce62148cbe5272241297257bda61e0

SHA1
d909a780527e1b7ead1607bcb8bcad6b37700f09

SHA256
c37dfad87a73d42ed135ce11ba33babe1819ed2d8bd2c7f2b0a17bafd9f517f8

SHA512
abc84e25f8296bdedb69b57124414705be3e2d72a14b82f20e21f1a08fe5f24808d78ae3d5ab6c7f5c6b8b3db112e99aeb8524e3e75f5e6a7f9cf111ce642775

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
33b341f733f4e4176c07d2d9e926b3a4

SHA1
cbf91a811627f28fb63bad3d1f53b7c1a6a92e75

SHA256
5f832582d4e01224d716fde9484295c66ca64ca7a36f827d2b3ec92bfedd51f1

SHA512
322fbb0e9ff30f29cfa2a83f8918a54ddf039917a9db6d071f2b476028232dc77f30e59dabca38b624b762cc7cadf89e9e36ff6a81414c943406a7ed824020f5

Download Submit
memory/5036-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5036-852-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download