bed2a30b8ce4a8f89356bf9e2959bb1b35849b1a71686f22b28720dd5de66030

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fdaa7245aaada1ea614bc686f307f00N.exe
Size

36KB
MD5

5fdaa7245aaada1ea614bc686f307f00
SHA1

9437a72deba8d40664409e80d0819fe30e95628a
SHA256

bed2a30b8ce4a8f89356bf9e2959bb1b35849b1a71686f22b28720dd5de66030
SHA512

74053c049fa0d3cf02997132ab8c77d92d67fade749ba494fe65c92b9ebc640f5e1278d7f7f199b8ec18b9b74bcff9785c761f54752fb106438e9791f13501db
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHJyBWYTuPTDTpI+DWYv:yBs7Br5xjL8AgA71FbhvM5

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.resources.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nl.pak.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp	5fdaa7245aaada1ea614bc686f307f00N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fdaa7245aaada1ea614bc686f307f00N.exe

C:\Users\Admin\AppData\Local\Temp\5fdaa7245aaada1ea614bc686f307f00N.exe
"C:\Users\Admin\AppData\Local\Temp\5fdaa7245aaada1ea614bc686f307f00N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
36KB

MD5
716635a2e9c3bbde44e747e459187000

SHA1
8a251f7c5e3fceccf57c024a129f510eb19da06c

SHA256
8b9f205c7fba9ae21a46eaf43cb579b95d93c21a5ccc4e02c5ce6a962eb5fe12

SHA512
de82918e80e0f77db09530252252726750aa6bd2b7acc549b0d2da129cf6b1733ea8523a2600b308bb20a99ce25afa246fc0fbc201174746d02d5f6d0e894745

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
37aeb7d95f90cd069512447a19ed96f1

SHA1
3f7c38f554459eccb17b0a31c845ddb1ed8376c3

SHA256
48b87bde03ab5ea0e23d1c961b50ddb299a1f7f217bf047feebe89e0c68d067f

SHA512
542e2509ea141023aca7e194bd689c2da37558d747d60850c1cec4c96a0e08e7e5e99f86e6c51a0a28d58c59eee2e9abdd7b11410110a92e80f58ea30ebeae06

Download Submit
memory/2404-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2404-906-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download