e893a68761f110f15fb332d71a85f940f5aa76e8f5ad499e1452fda69f695d3c

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79958401d0e3d307426deff83f452250N.exe
Size

76KB
MD5

79958401d0e3d307426deff83f452250
SHA1

4869e9b995431f13c26351a891a7048c708e9862
SHA256

e893a68761f110f15fb332d71a85f940f5aa76e8f5ad499e1452fda69f695d3c
SHA512

6e8741feab85d2bffa84df20593361a467f8b24daebc448579308b4a9c0a93c238be828861802590f6ee6cd0fd64c2e3e15940e600d409af33db16af1ba1ea9f
SSDEEP

384:GBt7Br5xjL9A7AgA71FbhvnwR/s4NW2sl4c3KbsvrTgOzkJAopyVFlgLfQf+PZfD:W7BlphA7pARFbhM0KW2s9B4hofAr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4383) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bn.pak.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	79958401d0e3d307426deff83f452250N.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	79958401d0e3d307426deff83f452250N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79958401d0e3d307426deff83f452250N.exe

C:\Users\Admin\AppData\Local\Temp\79958401d0e3d307426deff83f452250N.exe
"C:\Users\Admin\AppData\Local\Temp\79958401d0e3d307426deff83f452250N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
76KB

MD5
27464aaca3ef942dc8f926fe5a083161

SHA1
5ac262cf486c5a4038fbaf5b69b51dbd746271d3

SHA256
f331bd2dc5ec3fb9af765da8934b1876a455e54eeb07814b3c55f5e29119e090

SHA512
bd31ab2e30c40e6a4b658fb0371d7a7a2bbcb8022f210309232f3ae1dcf88ce92eb5814955472182b62dddebd2716446c64dcadc9e35cb65d8d6c4d5363a3e7c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
175KB

MD5
89bc6e6dd9d270a392551313fbd83617

SHA1
22ead4a333c4a158a95c25d3d277a2df25313e85

SHA256
e1d8feb90a9bf15113f6e2c532428a6415501f9fcfe4fde92dbd1cb93fcee3a3

SHA512
8b2a0c8dc5dd2b030641e400f5683eb9cc5c4fde50889cda52ae24104ddc8930b51abbc26bad524fe854b3ec1feceef58ec1346a86f4c0ef883424360604e21c

Download Submit