f18d8f89296a4ed61aa2e8da5f0ccc77609f7e5a8b5a4e6cb66f0be3503aebd6

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

667206f370ca4476db80707d04f8efd0N.exe
Size

45KB
MD5

667206f370ca4476db80707d04f8efd0
SHA1

f5191ff0db54a33b62d546c2b0de528e13bf23f7
SHA256

f18d8f89296a4ed61aa2e8da5f0ccc77609f7e5a8b5a4e6cb66f0be3503aebd6
SHA512

4072c6781a564ee0d5b16c071a74417088d82f135566bac72fdbc294790d0ae329068f9076a656ee4b012c5793f973cc3934abc0a673c2dc683b43749adc0eea
SSDEEP

768:W7Blp2sspARFbh5YSfff9n1oXKCqzEIn1oXKCqzEM:W7Z2sspAp5YSfffV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\JoinSend.wmv.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\DebugSet.wav.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	667206f370ca4476db80707d04f8efd0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	667206f370ca4476db80707d04f8efd0N.exe

C:\Users\Admin\AppData\Local\Temp\667206f370ca4476db80707d04f8efd0N.exe
"C:\Users\Admin\AppData\Local\Temp\667206f370ca4476db80707d04f8efd0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
45KB

MD5
cd95bc77213ee24d234bd86c283ab8ba

SHA1
9a3465140377aab072484b03ec0f3ec19ce01778

SHA256
d30213103fa01c20785ad4820cd5fb6b52461677047297c96ca90513beb71a61

SHA512
51a5dbca6005970913861b180bd54fb5e8b36b12ec328a18c2a14819de5c5c49e6aa57d6785037c42de0e06da5c44317f34795c29fd85c0eed44bf44e0b72fa0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
88c5f659f356d2e56566352835b64d1c

SHA1
40d272b0893af3bee3f4ff2fc64d35fa31a1d8a2

SHA256
f14165b352557cf80d0cfb89859db010b35031d3514f84e683c02d1203045b48

SHA512
b7a7fc60e149c463055b1b8d80368e1b4a201048a54710520582e7278bb112d3c8fa2731efdd9607e1f3c5a59e691679bdb8562f51161393fc8c4220f5607537

Download Submit