8bf0bbe01320e4808af49c39fd41fb565967993afa9cbe69ef4cd614b89d7a16

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

701995e17067c70b6b59507784a5dcd0N.exe
Size

93KB
MD5

701995e17067c70b6b59507784a5dcd0
SHA1

53da0300dd2b38e0378eb6471c6111a5694acb0f
SHA256

8bf0bbe01320e4808af49c39fd41fb565967993afa9cbe69ef4cd614b89d7a16
SHA512

8cd40326bd156c322082c83ab5d4636f726d20989a22ef0a1087808c5056acc415ab5db62808c6845ad91ef0d3c66daefc7f8861e41765d93c3beaf0166a2d0f
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+ejy0Wjy0WzY3:6e7WpMaxeb0CYJ97lEYNR73e+eGGQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4616) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClientSideProviders.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.Interop.Excel.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	701995e17067c70b6b59507784a5dcd0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	701995e17067c70b6b59507784a5dcd0N.exe

C:\Users\Admin\AppData\Local\Temp\701995e17067c70b6b59507784a5dcd0N.exe
"C:\Users\Admin\AppData\Local\Temp\701995e17067c70b6b59507784a5dcd0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
93KB

MD5
51df058295574069f8e83e40e4935d3d

SHA1
a7090b5b6726c6f1344bbcb41990812160f0871b

SHA256
0f5860272600b3564f3f3fab282ea5ae199f901938a2b8525e144e1e907d1bc8

SHA512
fb5eb8afd6bac5a89055469cfc644f4574bde154acd1d7bfad06ef6978f34e66265f97d1b0ac4dfd3f35023d507e97c568866f7deb22f47b9020a7ef61e85f2f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
192KB

MD5
cf94c3d702d801ef804ce5cddfb76051

SHA1
a4a29fbed0b77491a6ede8d2a4d691b8e156ee17

SHA256
fd68e52b51ab506c114379705dfb61fa48cf6a97032cf6de8b442c4835694b2a

SHA512
39ea075e39438f53f5c58b2539bb515f25f2b14a9495af3a6bb73e908c31a66851c38d8c6c3126fd29bb538d122eaaae7e544f801975ea0497b33eaab43fe040

Download Submit