3302305bd04b350f566965be8457a2c0c560be7c6e895065457c64bd69275932

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5652d7a999671abef85eb0a12578cc0N.exe
Size

41KB
MD5

c5652d7a999671abef85eb0a12578cc0
SHA1

2756f8663285dc4cdff6ea88f99e14f5e60388e9
SHA256

3302305bd04b350f566965be8457a2c0c560be7c6e895065457c64bd69275932
SHA512

c41ab828f617bf01780e0b0367a546b0334e94a6ae6d1575f3eaa15ab313b11fbd7838aa29c9126f1de7337f60ceeb163e308d38a37a1d112bf71d0e8527d5ab
SSDEEP

384:yBs7Br5xjL8AgA71FbhvsDYcUYcG0Wp/po:/7BlpQpARFbhsYcUYcgp/po

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4680) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\he.pak.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	c5652d7a999671abef85eb0a12578cc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	c5652d7a999671abef85eb0a12578cc0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5652d7a999671abef85eb0a12578cc0N.exe

C:\Users\Admin\AppData\Local\Temp\c5652d7a999671abef85eb0a12578cc0N.exe
"C:\Users\Admin\AppData\Local\Temp\c5652d7a999671abef85eb0a12578cc0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
42KB

MD5
371c4be402eb244033498648ba964d5e

SHA1
c5343c5fd4a3f494ab92fc674a4316789a2c03ae

SHA256
a93f1436564fcc10b9fb587e309425fab8e35fb1ef087abfc8a120ba82ae34c9

SHA512
f4266fddcfb74a3cbe3ab55986d95a40a75261bd112fd61cf1f116fdf9f10f77c1c3734b403f8a2322fc0bed4abf63c476b12a72c01336dd997a3b16b615be39

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
3920eb358568f868254a0646bfd1c066

SHA1
96dd6867f96e42aa196ea7663dc2301167684fcb

SHA256
e3b798be7c7c641b61fec37861789cc024ef5d568ee5c1eeb5f4792b84ab1c50

SHA512
4dacd38c2cef95c33aa14ba11c8b93bde89fd47afbe1e1361fb83ca0356892012b043d156a229eed9a99191345f09c1490139bef947293ff94825ca8c42ff07e

Download Submit
memory/1584-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1584-906-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download