d300aa8551db09a50e4da3422a0b84c2f89a167b9e23983d93104defd74466ea

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 15:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f682ecd0603827383141f724391bb5b0N.exe
Size

44KB
MD5

f682ecd0603827383141f724391bb5b0
SHA1

da01d75ee00477478a4cd29781ec988e9a5b7070
SHA256

d300aa8551db09a50e4da3422a0b84c2f89a167b9e23983d93104defd74466ea
SHA512

13c00653dd96e07a67fbb98ab020fd6ccbde100c2fdc8cf934b5568196b09e4ff42104c2763fda16d9fea068c848a831f7af926aa50341f9b903b9612f0760d4
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLFdyGdynmpmrKnK8:W7ZppApBULcfpHLcfpyDUdyGdynmpmW5

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4649) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp	f682ecd0603827383141f724391bb5b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	f682ecd0603827383141f724391bb5b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f682ecd0603827383141f724391bb5b0N.exe

C:\Users\Admin\AppData\Local\Temp\f682ecd0603827383141f724391bb5b0N.exe
"C:\Users\Admin\AppData\Local\Temp\f682ecd0603827383141f724391bb5b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
44KB

MD5
92bccb9222ad698ebfa1e7bcdff83851

SHA1
179fee30f442bc8fcbb58f7f577dbe4f69ebc638

SHA256
dafc67eeee51df3ffc76efb04d366957cd7d14c734cd3c6ba8316dc2fd9379bc

SHA512
d53d6277e8614d9dde674daea3d3725a373540f48f9311f173dd22036a53d2a3287affbdb730c540ec3da46979c67487b9829d86693c6d4d9d7659aa22811f73

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
ec6893131062edde6d1a0333e6b8a163

SHA1
03f41544b49e73c5c55d73e1ec6d5b43d250a727

SHA256
719642abb9316dc6e8f93e0ea94596fc97dcb11adbc7aede2d68c1f38a79c193

SHA512
478d32bc650c8b31d1b97cddb04783020ec88c4f1103aac2bc071ff12ca48401f3d2c4e8527934746f58da23663f8cba86278e0f6045f28fba8d2f89a92386b7

Download Submit