2519c07529058d148aae53c7baea8980c1805f51cbc5c541f1c799fc9f0061c0

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d453e6b496a4b0423ca3dfe35f8db30N.exe
Size

82KB
MD5

0d453e6b496a4b0423ca3dfe35f8db30
SHA1

467efd3743fb01cb289051a7832561a4ab7d9f26
SHA256

2519c07529058d148aae53c7baea8980c1805f51cbc5c541f1c799fc9f0061c0
SHA512

0c697fd1e43d1d798e27f61f9b69b511307b71ff2e43756f5088dea2d99eabc0dc48ff8f263f6a173e7e29aa671de2120a7b51af4921b5be3322fa5c955ae63f
SSDEEP

1536:W7ZDpApYbWjIoPyPoLzV7c6ShWfxRfxC2R2f:6DWpLf7fU2R2f

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4335) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	0d453e6b496a4b0423ca3dfe35f8db30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d453e6b496a4b0423ca3dfe35f8db30N.exe

C:\Users\Admin\AppData\Local\Temp\0d453e6b496a4b0423ca3dfe35f8db30N.exe
"C:\Users\Admin\AppData\Local\Temp\0d453e6b496a4b0423ca3dfe35f8db30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
82KB

MD5
49036db128b4adac4098441dd6c5576f

SHA1
8db71f67691ee8b672fc6c24d3747a5ad7d8f34e

SHA256
1b64d68266e380ab254a5adb1a65a9a7e118e690bc646c4f69adc4f4fcf11ac0

SHA512
9c1356a0a22bf4cf1eadb34472fbad809351c37bd3d35daafbeb993109d6937436f97cb6fa0e519ed54db3b6fc6e062eec833c4fbed3c73f3b676d30b98967bf

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
181KB

MD5
b587d556120be5d92df77b00987cea27

SHA1
8fd57bf14d128f175fab87cfaf9fb5d530e43e2c

SHA256
f6a339859defd082cccb70d917cb8e29edc872976ccce3e9f5220cb1bc9bccc6

SHA512
9f2df1799266c879b9be432de010727d8c6be4c7110a166069c9dfb9c77eb1dc99102da5b173ef609ea4482a764db29e7320c0830de141cd363891033b9c867e

Download Submit