f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
Size

33KB
MD5

88ad89708cfa2afd1f9e8e5ab546bdf8
SHA1

f65c57d03e4938d21388e1fd94d7b20dcebbfc3c
SHA256

f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca
SHA512

53913fd6599d47596da4ec7203365246ca3fb621e1a62acb125a69da6655dca32a440ecb3c4e7aa5688a35fdfd0cb0e94195a76b31175df43cd17d93b6daef0b
SSDEEP

384:GBt7Br5xjLvassAgA71FbhvYD/DCgAgUAJOiAJOQe+:W7Blp2sspARFbhlAJzAJ1

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5245) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl64.dlla.manifest.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfr.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Xaml.resources.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe

C:\Users\Admin\AppData\Local\Temp\f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe
"C:\Users\Admin\AppData\Local\Temp\f5258f64ad2832727e295525d14037b1eca5faff74ce056517c7d25a8b046aca.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
33KB

MD5
c98655c33904bf71a18d102c6c7a553a

SHA1
e25a90230f5a23a30c8f3475a0c6701c744cfa79

SHA256
3e2b2a6b01d76b5b95cf774e1b43ddf04d74dcf490d5f64401e17934eaf50473

SHA512
1253cc5ade80e5e0ad90afd50e7db53976d9ad634b29b914da96e15ceacd1efdfb80c61a5bba208c79f825bb2d438f3efbe4e05dd3763476fc0929edefc4456d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
132KB

MD5
1eb546a8fe7a5da5ee3a3093c0ce209d

SHA1
3857289994204bf2e0d05c86a247499319596cfc

SHA256
c1ea40cb6996bb85f236e8f861b3d4569b561422e1b1b43bf4a50632b153d599

SHA512
b2090462a9e15239dd582ec7e654a4cca2f5b4934ee35cf54f553effc737ddeb72973119cfa3828686bcf38c84f24dbb9c5c8809130adde5627c1032f17981e0

Download Submit