0ff01a9e30c8228c11f1796aeb6930d2482a7b6a2f1ee4d84f94fc7df5f13ee7

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

526cdc07e5f30bb46640fce9cf2b32c0N.exe
Size

62KB
MD5

526cdc07e5f30bb46640fce9cf2b32c0
SHA1

36cfe36a988cd86f39067bcf672079f0cc7cd51a
SHA256

0ff01a9e30c8228c11f1796aeb6930d2482a7b6a2f1ee4d84f94fc7df5f13ee7
SHA512

92d742eebc23a933a57002533935e9d12bb587200422231b469ced619df09b1af2d69b0fcf4afeed37a59452cad37bc77cf8d5098e51fae6bea497c9463f98c8
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpVF/MF/3Nw/Nwk0cEMdV8IEMdV85/x:W7ZppApBULcfpHLcfpX2/Nw/NwmxO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	526cdc07e5f30bb46640fce9cf2b32c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	526cdc07e5f30bb46640fce9cf2b32c0N.exe

C:\Users\Admin\AppData\Local\Temp\526cdc07e5f30bb46640fce9cf2b32c0N.exe
"C:\Users\Admin\AppData\Local\Temp\526cdc07e5f30bb46640fce9cf2b32c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
62KB

MD5
6d23285d976c531b68fbd65acb79bccc

SHA1
d963c9bea4a2a963faeeffc23d5627f45476383b

SHA256
057f7093175ab7c3a4c270523090cb5317cb725bc1c6b077a8cd7a59e075f706

SHA512
34a52784d1c634b31adb4709dcdcce9af587bd21c7d55fdc1c326e2cedc72b4dd2c6cdd25be3589c05cec39c630dd6ae2dc0c54905a6a0f18870e75d0436654d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
161KB

MD5
aad41fb16f0315dc18cee93b0b101e79

SHA1
9043d9e76afabbf8c5d246be331954ed1506472c

SHA256
7cea9e0338aee7579764e815ad0890b7cd6d2ccd4d84be8c1148a9e99cc8c0e6

SHA512
ab4844f1e921868d4b1dc9f684f5b2bb3abd139ebf620ff718a5e7eac5a23eb7a1a863bbc8343dc4db90eb5c55776b3b883bcd236acd2b2b5175ea295dee0eb6

Download Submit