a9c46e8f6d9a1d486269e698175efe99e769c32af713c268889d268945558402

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c7515437279604a66d4b7ad0e20f50N.exe
Size

44KB
MD5

51c7515437279604a66d4b7ad0e20f50
SHA1

d87cd9e035d7edca3d9913f1cfbcefef8eea8cfa
SHA256

a9c46e8f6d9a1d486269e698175efe99e769c32af713c268889d268945558402
SHA512

5b74296e65f5be0ca7f27d925dd41de88fc2afaf6c91b8d23ccbbc062d7ddce3d307953437ae802a5c4d040565d7cc01ad947eaf46e36c5cd3793b7077b7166d
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3wso2IOiJvfo2IOiJv1vAvq:W7Blp9pARFbheso2IOiJvfo2IOiJvN

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4675) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	51c7515437279604a66d4b7ad0e20f50N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp	51c7515437279604a66d4b7ad0e20f50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c7515437279604a66d4b7ad0e20f50N.exe

C:\Users\Admin\AppData\Local\Temp\51c7515437279604a66d4b7ad0e20f50N.exe
"C:\Users\Admin\AppData\Local\Temp\51c7515437279604a66d4b7ad0e20f50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
44KB

MD5
8b8591f5b02954f44be267fbd48ca599

SHA1
57ff153d4468c64623047b69c7650b3730e9ad03

SHA256
91e6f151ac3a0a3e5e0029896c7e2f9d49987b24f95809eff10c2d3bcb27f690

SHA512
b11e65cfee84a9b2502ddf2f1ec115f68e619b051a6279d50fef93c9d16bf83f535f9c9200da7a9f49dea9e29ec042e7d2f88e73f596568c5fdd7c3e68bc497a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
1ad3bdec16ee4742db0d16363efab3be

SHA1
14cc4497e6ff3b79a5d36f5a973ac5dfef3d873f

SHA256
06c25336c4464d1ccb5c8e526bce5c76198aa5659da9ff0303129e9332ce37aa

SHA512
53105868ce644e4253bf0f7e1df8ef9ec811b8cd3476047f6e843212d518a28423a8210a07fad4d113ac3a93ab865382a3a4750d5a115b704e7c735b2978620d

Download Submit