27c3c95fc5d5055acfaddbed8d2b9fbc4021d9d65a6652db597e8721b41a52dd

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5503b83f32202c8a976c12b899ced590N.exe
Size

40KB
MD5

5503b83f32202c8a976c12b899ced590
SHA1

0338d8a16c0c751da73fb8a4f2a325b5e8ff9e0a
SHA256

27c3c95fc5d5055acfaddbed8d2b9fbc4021d9d65a6652db597e8721b41a52dd
SHA512

df723b8e1d4eb8d1eba15f9313643a7977bd67118f8a6d2a95f7971bbbd851bdf2c08bd6f22dfc66ed1f298d19ee240e0ed41d00bf2ba5dc98e08e01470d73dc
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1Z:W7ZppApBULcfpHLcfpSo3fj

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_elf.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	5503b83f32202c8a976c12b899ced590N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	5503b83f32202c8a976c12b899ced590N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5503b83f32202c8a976c12b899ced590N.exe

C:\Users\Admin\AppData\Local\Temp\5503b83f32202c8a976c12b899ced590N.exe
"C:\Users\Admin\AppData\Local\Temp\5503b83f32202c8a976c12b899ced590N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
41KB

MD5
4f80a3a1a55b7d39bd19c7d72df87504

SHA1
11a2b98e33ea8c751f11687bddb4b72c00e51673

SHA256
bb2236d566e43f6faf48dc4615cf4b07d5d4537dcc5a0a722c56341e8f5c13a0

SHA512
414bc604e4cb92aeddee0b63b48c286ab08d1bc466d5415deb1a279a5a6b15f424f8cabe22a2a6d498e677f6a8eeaec905f59b947eed68ab3a985bc6dd2cbb7a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
d742457775d86b50fecb545f2e5d0318

SHA1
ee37e46b1770ccce88eba1a388fa4377facb6432

SHA256
ffe409bcd3271c192ee09e13bbba828fce4a60a98dc0b4d9047061839bbaa7df

SHA512
8b666c8fe153c978c858ea3a3f8099d03545ff017cc792ca0d9a4a105a44a2e104e51b7835dcd04453974f0bd836734c08ff1d93297eeff2fe602d56c2fc6625

Download Submit