f7ef7fc9bbb3e14f407d60f679defea525f28f57ff852df9aedb2d6db720c83e

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05299f966cb3aaf7c0c474a86ac9b870N.exe
Size

72KB
MD5

05299f966cb3aaf7c0c474a86ac9b870
SHA1

5ea35ffdd70a1d53af7ed42aacd5bfbc4910f05a
SHA256

f7ef7fc9bbb3e14f407d60f679defea525f28f57ff852df9aedb2d6db720c83e
SHA512

fad500b8ca24847ef51883be30ca0a3bb197b84154525c9c314a2ec3c20c8da6abbb7c29b51d8720f38ee5ddc879d73451ad720b916c1bef114b0474026e1e9b
SSDEEP

1536:W7Z2sspApkZrZ4+fU7lK1lKT8/8aPtPf8mdG3mdGT:62ssWpcU7lK1lKgkE+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\desktop.ini.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	05299f966cb3aaf7c0c474a86ac9b870N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05299f966cb3aaf7c0c474a86ac9b870N.exe

C:\Users\Admin\AppData\Local\Temp\05299f966cb3aaf7c0c474a86ac9b870N.exe
"C:\Users\Admin\AppData\Local\Temp\05299f966cb3aaf7c0c474a86ac9b870N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
73KB

MD5
716c3ba21f2b852dee5d9cfb7410df6b

SHA1
000555b341c45d52a4034c31345bb98bb83319a7

SHA256
b501194332db5ddde702da746820d3b5d77a737a5c0175c599506936a74ff6ae

SHA512
d84f7921ea456da478988131746521a967138f4715d40910122fc153c02c33ead0cf15cfd66b577a2a0d300f002dd3cf292b5499ee1e8b9ce302ec48a50541ed

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
233bfa004f452dca25001980539e37fa

SHA1
e1045570a0a3774547a5729cafb3f337b91b557f

SHA256
4c3a3d6559f30c9a02a6e5342a00725e40c36828710ac38d69d3380a59263572

SHA512
2b07d5504c3499f73bd8bfcdaa2381a946b005a97d6cc96a4c28a827e2aaf067c57305a968f69c081b2fead79a0b47eac6e749c9c3723ed782bfd9873bfa7845

Download Submit