5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
Size

46KB
MD5

4efc7a9a2fe20a8005bc4f70c77626a9
SHA1

e90922fd75eec710bf89d2dcc6f7421e8d2e1698
SHA256

5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc
SHA512

fff004d5f3140c6339590ce511441441918d8792f648afcd996e7b65415f57d3d7558b30cda9cf2a04e634279c854765b147c9e0060bdfb37dfdb883a746272c
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lsSsr+r+0XYXE:W7ZhA7pApM21LOA1LOl6vSsr+r+K+E

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5218) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLCALL32.DLL.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Tec.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\msipc.dll.mui.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe

C:\Users\Admin\AppData\Local\Temp\5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe
"C:\Users\Admin\AppData\Local\Temp\5811b0f883035ce3741997e20aa13a33b43dec5db74c3b5af9438a493d64afdc.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
47KB

MD5
2b25e6fa9dfa910f2ebade68c7da112a

SHA1
f311201c73a9ada1d5aea24b67d07255f100391e

SHA256
f41b25c948cf24e26e0d2a021513c3332d8acec08f3ca4d59e2f0e33177683c6

SHA512
6310e117ecfef1eb39deb083a009c67c885c152832a8021c151bae38f8326803efcdb33e1ac7c8467a7ba20b01633b00b37481fa23b2c93f2c9053cf277a01bc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
8be6b4222d17739fba05ccf4e33807b1

SHA1
0a484224279a0c9138163858269ad8b1adb28950

SHA256
a138bc9bebb63b394521b06e7104628d793e659899a27fc50534e38ca4978dfe

SHA512
b217755deca76e384ee185397f46656b50478397c30deffcf49b94ef2775935df68ec758b2d369d868dc07639ba8da5109e3e2d0f27e49fcbceab4128f43510d

Download Submit