7a582afe708efef28e4a79ffa9a05f40d8aa76f398d30303e22a92361cad9d97

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627353bc074938e2aa29c7d9e6653b20N.exe
Size

74KB
MD5

627353bc074938e2aa29c7d9e6653b20
SHA1

a2ba6f23ba82839524a5183e33da1e9439ee86f1
SHA256

7a582afe708efef28e4a79ffa9a05f40d8aa76f398d30303e22a92361cad9d97
SHA512

347dd16ba29e43cdead80a3dfc896b8adb6b3f20c52ea105280c30773e35c2facbc2d2b78d10fc10386749c8fb98b421b1a35c43ec5d9b9ea1fd5524f746a1dc
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7YNNdNpyI8yIU:6e7WpMaxeb0CYJ97lEYNR7kzlSU

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4641) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\d3dcompiler_47.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\vi.pak.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	627353bc074938e2aa29c7d9e6653b20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	627353bc074938e2aa29c7d9e6653b20N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	627353bc074938e2aa29c7d9e6653b20N.exe

C:\Users\Admin\AppData\Local\Temp\627353bc074938e2aa29c7d9e6653b20N.exe
"C:\Users\Admin\AppData\Local\Temp\627353bc074938e2aa29c7d9e6653b20N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
75KB

MD5
91af8df195fd8696c7114b6f2086677a

SHA1
ec45ec66a24fca380bc74a960bf9bc6049fe84a0

SHA256
d2753c9141f0a7e8fea497d06fefd5a65c4195354836f52581015d80bf436aea

SHA512
9d4cf171bc32cc81e600ef1e65544ee42ab132b6b0bfa0d2cd923c21a5b0fc28eb574ec58db045203a11e37fe038546542bc44f70fd1435bade799a045d638dd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
c439a2c88f334ff45587853f4e537e52

SHA1
3d09dce167bf9a33d50ade896ea0f10c5cf2569c

SHA256
69f76d8e989bff5afb90dbac91b0ac080a5a73771a0d464eb8f000a58e9e63ce

SHA512
818ca9558bb2c3dffde34fac4be35da4457d9cf94bc8d40bf084219f60b5db0afdc330f28f3cadb6b95ba5cf948c24ffd079ff9ef7b6f20b31d91e434c59335c

Download Submit