ddb0b36217f41299cf5789afc33e2d95650c114181ba896c053e2ff19013e770

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ee2ec1d204983649ee197fe673ca770N.exe
Size

80KB
MD5

7ee2ec1d204983649ee197fe673ca770
SHA1

d33b7591aff2a2ebc85916fd026dc01179434b78
SHA256

ddb0b36217f41299cf5789afc33e2d95650c114181ba896c053e2ff19013e770
SHA512

f32444d9b7ae282c56717123c8eaac970f30643d71412cdc02189c661792679a0f4acbcbc9b038d250411775c565cca99247e9c37c60ffd03c29f1fe42e49050
SSDEEP

1536:W7ZhA7pApH1d9oVLQthbqbY9oVLQthbq51Rn6wt7t5m0m698+Q+8nC:6e7WpP9oVLQthbYY9oVLQthbUrt7t5mC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4657) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\ConvertToCheckpoint.3gp2.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	7ee2ec1d204983649ee197fe673ca770N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ee2ec1d204983649ee197fe673ca770N.exe

C:\Users\Admin\AppData\Local\Temp\7ee2ec1d204983649ee197fe673ca770N.exe
"C:\Users\Admin\AppData\Local\Temp\7ee2ec1d204983649ee197fe673ca770N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
81KB

MD5
1426f8b27762d7ae2fdf9f8c33660c7e

SHA1
77f7269341eab8e2dbbd4e3a9256894a7d77dcae

SHA256
af324d3731587bea66a5b586f69dce056969d2638e65269075633d43ace64c41

SHA512
c8f9cd06cb064af8b9e727e8072c6e33a3f21b5b5f4f8b38d9e3cbccfc197c8de607567f67ce7bf5cfe53821de6d0af373cc26e070e8827588be1e75b2858916

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
180KB

MD5
333d82cb586706a85f74862a5d0f105a

SHA1
eaf40888d98060caf40d52f3a41fe53697fbd6c9

SHA256
56b67a8150327b3affa8c57b4ca1b1fb4fea7bf6246cd2fc70f867fa66b88dcc

SHA512
1d8ce045a0be809389ff027e78442c5747cda64e7bc99015c6a963701a2a7a805eb6a714bc505acdfd7883381ab91427d9067cbdb0602d86109614e9d0ad3d76

Download Submit