944cf3e242cb8ad2cf5e3f9d69da9e148b37049eb05c82577a50b974bd6ec86e

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

575d00a57d6c3186e88267e0866da730N.exe
Size

87KB
MD5

575d00a57d6c3186e88267e0866da730
SHA1

e32bd7c0a10504411a0457c6987e8d684ec6a4d7
SHA256

944cf3e242cb8ad2cf5e3f9d69da9e148b37049eb05c82577a50b974bd6ec86e
SHA512

78cd8d49cbd79b005a4997dc6a5267e7c498cfebc4377a49d83bf4a34c7ca46c88e3db49c0ee2ba7612d3b0fbfef1c5e26dec18338323ef04f221ce360a2873e
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+eTdsdYSW6:6e7WpMaxeb0CYJ97lEYNR73e+eBSW6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4539) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pl.pak.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	575d00a57d6c3186e88267e0866da730N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	575d00a57d6c3186e88267e0866da730N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	575d00a57d6c3186e88267e0866da730N.exe

C:\Users\Admin\AppData\Local\Temp\575d00a57d6c3186e88267e0866da730N.exe
"C:\Users\Admin\AppData\Local\Temp\575d00a57d6c3186e88267e0866da730N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
87KB

MD5
8888cc23cbfdc715d38daf7ffd2e1f5a

SHA1
817fcfa9fb6a4c7d1db43397f61a185afabce95e

SHA256
b0e61b30c2132bd2fd71bb3b91b130847a9a689c3d5fd53f52f68fadddfe5bb2

SHA512
3cbc063e319af7fb18ed69147cf90c432cbca18a5e14b038adec42e06929ae2721183f18524efd8b9fd25ca27d4d66c99708d3b16cb4a9a38f5c332d9eb7e949

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
186KB

MD5
c73ae6975459f5bdf609c9bb2bfd288e

SHA1
0d1e8cf4e8d918e98b540de0f5d633013ade171a

SHA256
5dd4ac14b1ee1aa4e58f60c509c50023513d6b9d7acf12a5e171c8a6f4cde291

SHA512
424e7cff91a874f8bb95aa91f3f585ff27993fa1cbd54ac6319d31358b1bea587bd8b8ca7625fa7d4dcf1aa0518e4152c402491621556c492f5922c731b884d4

Download Submit