12ea4edf7272122dd2a789aa67dc7a2dec70eb86664c6833804e37ce4ba259c5

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de53c3f5d1f7b1de2ab00682d104b6e0N.exe
Size

49KB
MD5

de53c3f5d1f7b1de2ab00682d104b6e0
SHA1

eb321daa2e57874830ff0ddae85672a47798d8d1
SHA256

12ea4edf7272122dd2a789aa67dc7a2dec70eb86664c6833804e37ce4ba259c5
SHA512

a61eca5b732aed14636ed835569bdb6ca3e27e14f236b7cda9caeefa910d3025d8a1b270f3ce48eb79320f7a4cc3b6c4cdd051738abe18f909e31accb0f31ea2
SSDEEP

1536:W7ZppApBULcfpHLcfpAfxRfxuw1wSY6IY6UPV:6pWpBwchcKf7fn2C

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp	de53c3f5d1f7b1de2ab00682d104b6e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de53c3f5d1f7b1de2ab00682d104b6e0N.exe

C:\Users\Admin\AppData\Local\Temp\de53c3f5d1f7b1de2ab00682d104b6e0N.exe
"C:\Users\Admin\AppData\Local\Temp\de53c3f5d1f7b1de2ab00682d104b6e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
49KB

MD5
b1236befe61360d050b17a5e3e8c6489

SHA1
9c7d6b49d015daa15532c4dff28b7a80e94c372f

SHA256
6dd824014a59ce3bc01cd9b6f165dc54b327e3b95a3f6ce2af7ab1b49a2da955

SHA512
838f13a156e142f83b0ebc47c5d67ef15bf97bfa874511d7f95365a0954ad95800c96d098f76bfaade71098f329e1b601d93f512fef67c9225ac74b751eb78a3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
e00e3053fb865cf4ed72a236daaf233d

SHA1
9e61927c4fe37f8342c22dcdaf1e506bb945f77d

SHA256
feeeebd31495510d6dfaf3101da7aa95cf8f3177fd840b3fd26e4b6f5e4be7ad

SHA512
5774aeb5c106c7e69fc0051cc9f3900daaf211390c2046f23c8ff78601418749a135bc951cadf81a0a621715460b35c4c7fe31057207dedae5266fb6a4b7cd9f

Download Submit