188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
Size

43KB
MD5

4adf60f07301aa8fc2f78349fc26a10c
SHA1

01bb60461df6b361700660863154a65f6d30c5db
SHA256

188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f
SHA512

ef32c7ce0990cb5fd95ba341aa616248acaf1414b9806d9543f1dd541780a84b1f3b080f4c6cbdeb82db929221824f175d597b984333b38b98e1dd22ac2309d8
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzSMn76GRI0Mn76GRI8:/7BlpQpARFbhNISC76QC76A

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5047) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Tec.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoDev.png.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe

C:\Users\Admin\AppData\Local\Temp\188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe
"C:\Users\Admin\AppData\Local\Temp\188c92fad20e985cfaa121a17a2486ed278577f4dbd7bdd14db5e50b46a0bf1f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
43KB

MD5
b53ba7a5b73c4a1243187d07b32ff389

SHA1
3a06eb720de6e2ef07ed3a2e4be8fa0458c3a9a3

SHA256
1d3c1e38268b132e5466bbc48cb78c3fe8740a2886a31b209ef5c4cc08bdb79f

SHA512
fae9a316b35521c5f74d0a36d1e13451a2d9970a4f7a2dd8ebcac28bbd9a6e66b27cee3b23ff1828bc134b187fe294054c4d5e1b57443315fc2dc5408e263efc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
5aaab5c9e5053415e31b97df37780456

SHA1
5e2b3048026321039d78f3bb3974da1347c3f62b

SHA256
b820bb52b7b39419fb9fb8c9a411a5a6bcf45eb6403a366e29e2a6a3794f7c70

SHA512
8b9424a8daa63b213e41c3a0d04cae12e854eb73f05834df4bd6357cca9f618b861348ce2ced0a7e1679a9ac6f9030df45483dd68fa95687c42f2d5500e6d6fe

Download Submit
memory/3988-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3988-856-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download