6a6fca6946ee09881e3d3a244dc363a2143d8531c5c2979fe794d7c0076084a0

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d40f16400892180229188a6c61fa630N.exe
Size

38KB
MD5

7d40f16400892180229188a6c61fa630
SHA1

d86779855d6d1ac037b7fe97c4c69d5e71731b0b
SHA256

6a6fca6946ee09881e3d3a244dc363a2143d8531c5c2979fe794d7c0076084a0
SHA512

58ed1231d0042ac7038c33f617a4ea9c997717fd29c4a58ab46ea183b6094bb22a72c5363065cc637dbe9c0d314b140ae4625630f3aa264546473b82534a06ec
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LObC8p8f:W7ZhA7pApM21LOA1LO8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4645) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	7d40f16400892180229188a6c61fa630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	7d40f16400892180229188a6c61fa630N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d40f16400892180229188a6c61fa630N.exe

C:\Users\Admin\AppData\Local\Temp\7d40f16400892180229188a6c61fa630N.exe
"C:\Users\Admin\AppData\Local\Temp\7d40f16400892180229188a6c61fa630N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
38KB

MD5
a9889f700dfa448b49492adb09b10f94

SHA1
bf0e323c656b19cd958dfd8952a21706bec430e0

SHA256
9091cbcb31db55899afea7db4180db1b5975a033a591d50e63c9ca21ca133565

SHA512
763c565aa5c577ed75f00fb2e825221f2c76293cefe4a7cbc21d133b40f63518a7279237f9835fa9440f28131a4a1d76c13b2a45156a1a9d954e3ab3e8727dad

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
aa07b21cd6d7cbb418e7b067c28ab8b4

SHA1
0052f34ac6302853ca2f573c8d060b57ca7e7801

SHA256
ac86e696802c7875e463f95e6f9bae861bc36c8ff17ded511dd65da2d946d1e6

SHA512
4e7ae848fb31b7a84c5cc30508be6d433ea48bd693200d8a5c2196c6cc5cf5ee99ec4bd55f2abae2550a4a52e2c647b1a57a4b7cf75a66765d56a76ef2438100

Download Submit