f5ee4f40f307c450f03b807412abc0ea13488db33ffde70d06b2363f91308bb6

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61e3ae29d5bdce616232cb8a63005d50N.exe
Size

89KB
MD5

61e3ae29d5bdce616232cb8a63005d50
SHA1

91dbfa631f9e3957ab8bbb2809b8d5ed60464a9b
SHA256

f5ee4f40f307c450f03b807412abc0ea13488db33ffde70d06b2363f91308bb6
SHA512

af2142f00ad6b21884d500dd9c5aed893070ae8de2d9184c915d25e76298aee8f373920aa54a91ca2b00abc860cf2cef1a6aee1fcde3c3b1794d7b94a6e1cc3e
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhL:6pWpUFpEhLfyBtPf50FWkFpPDze/qFse

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4605) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	61e3ae29d5bdce616232cb8a63005d50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61e3ae29d5bdce616232cb8a63005d50N.exe

C:\Users\Admin\AppData\Local\Temp\61e3ae29d5bdce616232cb8a63005d50N.exe
"C:\Users\Admin\AppData\Local\Temp\61e3ae29d5bdce616232cb8a63005d50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
90KB

MD5
a8ba6af36b9fc7e31197c0df564ca19a

SHA1
c9e258bbf2e71c21126249f899f5390a3f12b2ca

SHA256
75dd41b5d7e9a7706c8ebd28ce0750650a3f18d281445d6d73d30ab7166b6472

SHA512
88d73dc8f3a5f7352980e945c1cfbdaac8aa81989ba9fe458a99850528ff5d8613c4c4e2e9bbfdf69d545f83c8ac7e149ca8f423d756b840b93e2219c9db1628

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
188KB

MD5
ed9796f7820ac6a56c770d028c4f9189

SHA1
0e2d2f36589c274b4c45fa244057d5380fe6d259

SHA256
60309b1102412296d01bccd54b1a580a26628b1d628f41b6cfcfe6d8bbdea756

SHA512
f8c87a7ee3c05afc13ca5b089d3b8b7fb9ee19d7e7aaff9202407fa9b95394c57955996d1589160e4c40d205abcbe370ea438c6bf5d05a49f743d36fe8352cf1

Download Submit