50e6ae2379c3850e13d142558a8499f99708efa9202e6063a26bb8021937b9c1

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 02:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

61594586e1d34ee7c034d4362a487020N.exe
Size

40KB
MD5

61594586e1d34ee7c034d4362a487020
SHA1

752193c184f9e02aaeb42e9e117044ddd2208444
SHA256

50e6ae2379c3850e13d142558a8499f99708efa9202e6063a26bb8021937b9c1
SHA512

2291da3ab8d0ee262b1ba3dc838d6d16d996060906a128b4ff8d687a4fb4716f1ea3c369c7dcdc09828b3d35a6bb7c2f59185edda9eda05419fd5634b0d479f8
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhv3KueKudLl++KdcLUA38gdcLUA38gl:W7BlpppARFbhjbhPKueKudLw1b

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4651) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Java\jdk-1.8\LICENSE.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp	61594586e1d34ee7c034d4362a487020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	61594586e1d34ee7c034d4362a487020N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61594586e1d34ee7c034d4362a487020N.exe

C:\Users\Admin\AppData\Local\Temp\61594586e1d34ee7c034d4362a487020N.exe
"C:\Users\Admin\AppData\Local\Temp\61594586e1d34ee7c034d4362a487020N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
40KB

MD5
3b7fa2ad9e934965c5f8393147af22ee

SHA1
4ba25525b931856525a7436d8805b4ceb3d5f9ec

SHA256
fc88028a5489fb2471b6ce641ea99b2e0b1ae53dd1406976fb29cd3c3028226c

SHA512
4c79314365c6bd6c83f732b9a12c7e43c34824741fef022c6c98af59978c7b168a1728791bdd4c6c8d4bb321334583fb05c385e6ed71fab88d22362529005f67

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
1d20c4270ec03be572dedb7804214e7b

SHA1
c40fbbd94ea75d9ba2b71e73042563c5a815e782

SHA256
5247b8aa7af1f09b713f95a60a2dd584b641e20674b8ef1b15e783dcedae504a

SHA512
0e1379a5e99e8904b0ff07825048f2b68d789af5b12f080e811360febdce5bee594d912e77a8c9c6efb7989a13d32809d86867f5035db63947b95c7757053b20

Download Submit