0b1f4fa616b430a231cd57f48bf5db87329b9cd6abdfec9faf5a5737cd65ab00

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d639aea6f41cdccd25824519a62ff70N.exe
Size

85KB
MD5

7d639aea6f41cdccd25824519a62ff70
SHA1

3a11ce6e3431fef372f66015ae21611d2d1aecc4
SHA256

0b1f4fa616b430a231cd57f48bf5db87329b9cd6abdfec9faf5a5737cd65ab00
SHA512

b68fff1ce80acb8ed6eea8314fdbf5121cb328f5889860135ec62b8a4db2905f9ebf2d3ece5aae796d871d6991d65b61834eccbac27758aa9c46afbef7f7ceeb
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhT:6pWpUFpEhLfyBtPf50FWkFpPDze/qFs6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.COMMON.DLL.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp	7d639aea6f41cdccd25824519a62ff70N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.tmp	7d639aea6f41cdccd25824519a62ff70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d639aea6f41cdccd25824519a62ff70N.exe

C:\Users\Admin\AppData\Local\Temp\7d639aea6f41cdccd25824519a62ff70N.exe
"C:\Users\Admin\AppData\Local\Temp\7d639aea6f41cdccd25824519a62ff70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
85KB

MD5
0dd6cbe1148405bcb3386b7fb4d0ea4f

SHA1
e866c3a26811af512d4100d06c97386d1941d41f

SHA256
c0722bf48b06108bcc798e108a0e4812be6f806d6caf81336b043f4a296ccf2d

SHA512
fa664f9c3909b54ce1c1f991eb3a0412418623bc7f1676bf427a3a42d8ba75e1b4c740af429455ea07b0ce701519bcf4c30b6f7b25eb1a6b41dd941bfce47b9e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
184KB

MD5
8803594fe9b0d0295f2c9376f2d8a9cd

SHA1
6d587aacb0329724407eaa81b3605da139818372

SHA256
cf51c0d1e3f840c66725f503854e6ece13939c3d9e7683fb1adac9282c1417c3

SHA512
110015067c3b237422d2b8599cc3d84e2931e025330445c2e78407752e7437e15d3b52f688fa81a32fec2d30fda912550c6f765fcf3e7b313d23c4559dc965a2

Download Submit