86f205398af0e8a9a586ba1ebcd9e0394a280b7c7a7f57ec377ec1152476440b

Analysis

max time kernel
120s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 11:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

864bf72db3740baf1cf381485d528660N.exe
Size

73KB
MD5

864bf72db3740baf1cf381485d528660
SHA1

970e0732afd698d8ebcafa159107702205bfbd46
SHA256

86f205398af0e8a9a586ba1ebcd9e0394a280b7c7a7f57ec377ec1152476440b
SHA512

72c04082ddece7d5627c33f3a0a43248d71363075000ab8609d1ba3fbdcf68b3e802bf4f52f64733c3e9a167447129ba256d1141cebcbeed7e016f8b9bd2fbf8
SSDEEP

1536:W7ZNLpApCZrt8PWGoPWGANdN+hEwHwDvZvk:6NLWpCZIzjwHwS

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	864bf72db3740baf1cf381485d528660N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	864bf72db3740baf1cf381485d528660N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	864bf72db3740baf1cf381485d528660N.exe

C:\Users\Admin\AppData\Local\Temp\864bf72db3740baf1cf381485d528660N.exe
"C:\Users\Admin\AppData\Local\Temp\864bf72db3740baf1cf381485d528660N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
73KB

MD5
ae08b24535a7e3acbee61ded025aa797

SHA1
f9f51889c1a786da9ed5d9ca5ea5fc7c5ee8b33c

SHA256
2923892d08c5df94dc7f224f4e6d94d6a9168ce9a24127b52546e8f6760c9d73

SHA512
f10e08eccaad117fd0f3cdcea21aa28489c0f910e0e76e15df43c1efaf2db2efb52b5395386a3cbf11e3b15f7cb672ebafcfbb551777600929b5570a9e272d1a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
172KB

MD5
373c3d9305fca0cad8660f1a6e1d568e

SHA1
1b206538191acbdf419eb09029148267f7a05b39

SHA256
96279e459038bfb52d40fe6062067e226e57dff79d99af08c406109e46b501dc

SHA512
712936dcd822949e0bf955547dca89cda6793059ff1e198aa869b69610c35adf15bbe715b04878f6c58545752586bbd0044dff85e48353795fa733cd09933c8b

Download Submit