0e1939b38f38e22e72ade1a9a8f66b0f897a5572ea0449cf311ae1f3fc471073

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66ae5474fce4d771067ac3d9ce23c480N.exe
Size

74KB
MD5

66ae5474fce4d771067ac3d9ce23c480
SHA1

30c214b938e27ed5203e7fb1494ac808f01eac33
SHA256

0e1939b38f38e22e72ade1a9a8f66b0f897a5572ea0449cf311ae1f3fc471073
SHA512

f725ac70eb10f27259b2858443a851950febe925309b2bd0453a5e783b1c85ebc00737feb48ee41193b2d031344a4fda65db02035b6893e71077dd5e5ce4955d
SSDEEP

1536:W7ZhA7pApM21LOA1LO8IdHxAbuJVSNCR5yg:6e7WpMgLOiLO8CHWiJUAV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4646) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\EditAdd.cmd.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	66ae5474fce4d771067ac3d9ce23c480N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66ae5474fce4d771067ac3d9ce23c480N.exe

C:\Users\Admin\AppData\Local\Temp\66ae5474fce4d771067ac3d9ce23c480N.exe
"C:\Users\Admin\AppData\Local\Temp\66ae5474fce4d771067ac3d9ce23c480N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
74KB

MD5
5bf08a38b0fbe4d24519c2c655469fba

SHA1
436dc4f4782daa6a6e46f1f5be769a2aa55e936f

SHA256
1be2f923b97c96a2e89f153eb607a846a4531aa6ea2b15188cad698be4da3a47

SHA512
d6f04959423ae18b9bcb8419fb18c2024512bd31f26cbb28dc3446679f4b5ebb2aaaa14a0fb3b73d65a378755abc8bc01686cde6413da8fd9992af491666bff6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
d3ed5475095d74f89a3f147ae31bb313

SHA1
e2d3ae18dc969518befeec219e8383f583d59bb0

SHA256
d5bb9bf3310a0ae425971a83c33f1739065a67792c674d70aeb6ab02fd080682

SHA512
78e6ac202092d1e694ec9a9355a0951fc68e03c00b4b8c6cfb7b15e63013c5175a21aa7a30e45c3d1e7736a076ab168da044f5b2333f272c6de4f8a38656b8dd

Download Submit