19aea6fd93d734a00bb1eef06e4ac6c216dc4007c19879088409cc8292248325

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25b2baa66dfac134ab891832970e6fd0N.exe
Size

89KB
MD5

25b2baa66dfac134ab891832970e6fd0
SHA1

ee3871186080d5c7214b8b2460828f1a62772c4c
SHA256

19aea6fd93d734a00bb1eef06e4ac6c216dc4007c19879088409cc8292248325
SHA512

28e68cf15e70bd2258271ccb47fad423b0636d0ff13019d6cf1cd3c5120e5c8f2c62f5468c9fae9125be40a2d665751886f26b9e20459cb5b50a338bbc44ad9f
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNYy0Wjy0WzYwfn:6e7WpMaxeb0CYJ97lEYNLGj

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4618) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.tmp	25b2baa66dfac134ab891832970e6fd0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	25b2baa66dfac134ab891832970e6fd0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25b2baa66dfac134ab891832970e6fd0N.exe

C:\Users\Admin\AppData\Local\Temp\25b2baa66dfac134ab891832970e6fd0N.exe
"C:\Users\Admin\AppData\Local\Temp\25b2baa66dfac134ab891832970e6fd0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
89KB

MD5
01debd11e86c03dc767e8f1ad451eeb3

SHA1
98bfc310f08ee7418e5d317559ea081d01388944

SHA256
24579f38329df66a02bb67b9d27734e7e9f75bc50655882c4127431d9efaf130

SHA512
d20dd9f34a144d43919b900d18f05e801ad5b332ed4c36e6b083c027758419debb455258258ce2cd8e1d172c227b68226ca4aef61fde495114b13a775de4a59a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
188KB

MD5
7aece3a33e4a9e1571b5984253ac9ec8

SHA1
6ff3a7e63a44a3ea3a62c5dc041eb96191954800

SHA256
2102ea67310abeb237568d7c48a9ee3b50511c7bcb59d5dce542d6463ba8a0cf

SHA512
40ad19b31813400413cdea8250c0bdec823eb86f649e77cf9f6f93860ff0d6520f23c6fe12997233d7e6f527e2cd7a6e43dfe77f0de11bee071c96fe99bc71ce

Download Submit