4210daeb7521f17e8b344f3b4722539dd62732a666a05d540b7ff60a1074dc73

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
Size

45KB
MD5

18f4e2479a2ab0ae51dce9a12d1d0f60
SHA1

dadfb60f12f752a31956d52a308de98073323d66
SHA256

4210daeb7521f17e8b344f3b4722539dd62732a666a05d540b7ff60a1074dc73
SHA512

bc29c263705332d43717762399e244a09acbe683c25fcb63e618071436c2b73fa30e441657543746ac52540fcfd84249d34d57676f6e07cc251d9e5ec6dd2b87
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1LfFfV:W7ZppApBULcfpHLcfpSo3fN1V

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18f4e2479a2ab0ae51dce9a12d1d0f60N.exe

C:\Users\Admin\AppData\Local\Temp\18f4e2479a2ab0ae51dce9a12d1d0f60N.exe
"C:\Users\Admin\AppData\Local\Temp\18f4e2479a2ab0ae51dce9a12d1d0f60N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4300,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=948 /prefetch:8
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
45KB

MD5
5c0f68cbd77b9989dbfbc575fc4ec35d

SHA1
2f6cfd22dc2f232639e62ea634df32fdbe0a7c08

SHA256
9ba1c4f3cf50d91c3f70bd87ea7a0612d04f5f3b856c2333cc3d0430cc9e1bec

SHA512
070340e9f545398513f835adcd3aed9de302031f822b10e6a4285a18354e78a84c63653b352409f9372f02275549fe857f584cc5660a05305dec76c7495da8d1

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
157KB

MD5
f08080874ec635531f3c85a152318717

SHA1
374c5aba1a7d09c97ec74515f31ada4cd0c33be5

SHA256
fc29aaea1316119f651c1ac1d0a768a93b03a9963adb8380ea3129bc5a445b40

SHA512
5ec2bc92ca6314fd930cade18a3aa19764c447c681f954153a3eadd8460d15d6174bdc925fbf53036868c8eb4063ba1f6a08801c0293b6a70f74dfbc0eca985c

Download Submit