61f23cefe0d58747236fd1cb50e6ed71f68af688e43544133ad183a799f4a729

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7df7be3837a3ada397294882f729d750N.exe
Size

34KB
MD5

7df7be3837a3ada397294882f729d750
SHA1

d530df21494d103ddb09f04c5d420c35c9801176
SHA256

61f23cefe0d58747236fd1cb50e6ed71f68af688e43544133ad183a799f4a729
SHA512

ada6efb20bb7d648af23be92e199538bbe0b58f8f2cbdbf01bbb75bd2089d213ef038d41ece1da9f847bf2e4ebbb4331dccfdb5f4bb5f032192c456983d85441
SSDEEP

384:GBt7Br5xjLfAgA71FbhvtPcYjoPWjyjoPWj9uu:W7BlpDpARFbhGwu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\descript.ion.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp	7df7be3837a3ada397294882f729d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	7df7be3837a3ada397294882f729d750N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7df7be3837a3ada397294882f729d750N.exe

C:\Users\Admin\AppData\Local\Temp\7df7be3837a3ada397294882f729d750N.exe
"C:\Users\Admin\AppData\Local\Temp\7df7be3837a3ada397294882f729d750N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
34KB

MD5
98a771c66c7904461034e2a31c0d4dec

SHA1
7b7efe25c99730b7a0d99b8a580d81239507d9ee

SHA256
1abe8a2540ca8598e110b44b3b40d033abf37c9f8e6aeb769e4dc6b7682d7a6f

SHA512
bdc1b2e1f2d33285034d824dae05659799bf0edb0fd620d69d27d4dad772dc6dc9b4e8a1eaf4a14b150e14e426b0c6e4a60c032d2cc863b10b35ac4948a53c79

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
133KB

MD5
a6d471aa77aa422748648d83d18826a6

SHA1
31f87b3b72b2bb8668df6b661a3a049ce64a8ca6

SHA256
e765cabdeb60a8b08813eb07aea3c02b598e7196262b417ffe41d88cfe75deb1

SHA512
065aa0c8007930ee49747b9eb7dbf33e594c7257e1fce96f1e619fee1b3b921287c3dc7c238b669f600275a513e26105fdae19acff26c8f1b63acf14b4c859a2

Download Submit