698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 22:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
Size

105KB
MD5

8801fa82f0fbca63733c930bf1c46d97
SHA1

7bf8cf66135c9d2e5d917e01eecd4c6dee5487c6
SHA256

698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0
SHA512

bc2aefa01ab2d98e2cc81496900efcfbe7baece8fae2437f2e3ecd8e9bb31c9083dbcc346c451b92fdac88e6a6d6614ffa71e742f4951d55827cf541674a7018
SSDEEP

1536:W7ZDpApYbWjIlE77ufL2e+efZwZQ/8S/80PqPIUpCUpiPk:6DWpwE7oL2e+efZwZ08i8Z

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4838) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sl.pak.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe

C:\Users\Admin\AppData\Local\Temp\698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe
"C:\Users\Admin\AppData\Local\Temp\698ec42222bf3633a7e452395e806d251f35b6eeb1894b13d0cf404b334135f0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4020,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:8
1⤵
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
106KB

MD5
c02ff5619ee88749051d17e368db41db

SHA1
40a08068ff8865e51f2fd0dd3a9da736392c549f

SHA256
94f60cf426548ab9736b551a0435a3dc545df2870399b92a7375fb17ff642b2c

SHA512
dff32ea98bbec0ed8dce8b482371859b50d200ff94cf309f8a90487f146762e714f4dce7d38a431e00acb7b5fb1b854f0876dc69a0555fe8509fd1eac779b21c

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
218KB

MD5
9cc0611a53bd417e2bda647324f8f91b

SHA1
1598317aff18f635a3b9ef55ed986dd5a7b83a62

SHA256
74d0b94be4a68cffcd5bf282c7b5e747507d469784ae13b7932ad93814f9ccd6

SHA512
a9b1803ceb31e1b936a81b317ab5eb93f858d69d20f4b9541d5efb0897f0a872f0d1ea0553a611ea20772c7fb30cd05f1bad0c5892b82a45dde308605ac4e7cc

Download Submit