a6e9a8e9fc326464ab07d71270fcb8ac28d16f5a1f0f1f7c90846705ecc30442

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5fe67e8f103632a10f8a36c7d5bc030N.exe
Size

64KB
MD5

d5fe67e8f103632a10f8a36c7d5bc030
SHA1

870b2f02302f21ef63d2071419f2cbe0b8ab8fc0
SHA256

a6e9a8e9fc326464ab07d71270fcb8ac28d16f5a1f0f1f7c90846705ecc30442
SHA512

12db9c45bc6a9c3e67c09d3e1d1fbac5517bfa58044b29e2a54d264b91f50f1de2aae2a4e1b88e619f3e7ddd86cf2705463e116c37b84a5a3c2bca178866806e
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw70EXBwzEXBwOvEJcvEJZzozw:W7ZppApqvZvs

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\AssertPing.aiff.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\EditInstall.wmf.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	d5fe67e8f103632a10f8a36c7d5bc030N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5fe67e8f103632a10f8a36c7d5bc030N.exe

C:\Users\Admin\AppData\Local\Temp\d5fe67e8f103632a10f8a36c7d5bc030N.exe
"C:\Users\Admin\AppData\Local\Temp\d5fe67e8f103632a10f8a36c7d5bc030N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
65KB

MD5
4a06495a6711498c228087679ffa58a2

SHA1
623d5aa87f5f1f10e5b5574a0dbd2db4574729f5

SHA256
dabb612ca4ba82ff3994710ce4360577392e2a90db5f3b8f4ca39009c73ed503

SHA512
32801979582a5f0e7160d789d4fefc3fa24eb1442324c1293612031cec86bad3875cd481983f055cf0a7c35f66f91aa971344654821394c61d98995928d67c8a

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
177KB

MD5
f24dc359e351d1b6b2332c08dfd02841

SHA1
9568e682fd79245215e990c34b0a9609f3e22c61

SHA256
3219f5e09fc3098d4f36cc79854097db293f9167d7b0aa7a25f99fcb1ba9d3a8

SHA512
3bc151796ea9ddcdd6f72b3fb10fa26e852f175f5adffcb3ff458b177d897d9c3ea3e1336f349313a3c0c86c4edcfd6dfd8f124c1e59ab64d22fa276122005ea

Download Submit