4399160427e32acc506cbd534d0947c56711555540ee32bae0616007474e5d5d

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 05:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7e46bcc0091a73aa6db3128bb5a4230N.exe
Size

47KB
MD5

d7e46bcc0091a73aa6db3128bb5a4230
SHA1

1d0bbd5c5ddfb0165e27f52aa12f50b11426cea2
SHA256

4399160427e32acc506cbd534d0947c56711555540ee32bae0616007474e5d5d
SHA512

4668b84c1af3dc46cf61f36e83f941e1307ad78586185041d380971b1d5506b965495cc3594f821eb585ab32202d431f917adba2f969d1b79f84001bc11402c9
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/Fzzwz72Jwuq2JwuR0U0IjftfX:/7BlpQpARFbhNIiJwsJwwnZR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	d7e46bcc0091a73aa6db3128bb5a4230N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7e46bcc0091a73aa6db3128bb5a4230N.exe

C:\Users\Admin\AppData\Local\Temp\d7e46bcc0091a73aa6db3128bb5a4230N.exe
"C:\Users\Admin\AppData\Local\Temp\d7e46bcc0091a73aa6db3128bb5a4230N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
48KB

MD5
092ba8b9a4fdcff5b60c9e7e66b3a942

SHA1
0e0021a1fa7eb14d46b271dff3760c236e4eb94a

SHA256
a02b3c209b63701e024c93c8f52b081dac227fb83d0e556e48d5230f3883c5c4

SHA512
e388a9744b2be040cf4e248a9eae75aa391e7b1667883421808062025d534f96f5adabfe181695350a77bf2a077bf6a62f02121d51638f123c6c59c68555f317

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
73940fee38fcdf1b7b70ba0dfd3885ea

SHA1
2e61944a3def5e22bef954891cfa0543bbcb7954

SHA256
5d4a4b1562016d2313148694d9e82d8704085e9545da44a9018e879e5c3dff9f

SHA512
4805c885a160ad12af73648c59e59c67d5ec104da6136e7a47ea8200639893b8c40970592759ae6f16a4b0843939d3f2120b30e1a0c944250cb8e6a7446a4ad4

Download Submit
memory/2256-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2256-898-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download