ce195ced486637b9c058fbf1a8ccdf3189849d556c6c0ee6319629e211accc90

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04977d8f002efe5bd41927712007b650N.exe
Size

48KB
MD5

04977d8f002efe5bd41927712007b650
SHA1

b265ec2f4d314bb96ef75df169fcecab85ad9e94
SHA256

ce195ced486637b9c058fbf1a8ccdf3189849d556c6c0ee6319629e211accc90
SHA512

4c72d5d95439211b7b387cbf5ab39cf92af10dd7e733764f3c439c434e0c1507c7a8b1fc482ac77f7328d48f4d3bd595295e7b31301d8bf08844ec6d1238ac66
SSDEEP

1536:W7ZppApBULcfpHLcfpyDDnTxASYnTxASshJ6X:6pWpBwchcwDDnTxASYnTxASN

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4674) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	04977d8f002efe5bd41927712007b650N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	04977d8f002efe5bd41927712007b650N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04977d8f002efe5bd41927712007b650N.exe

C:\Users\Admin\AppData\Local\Temp\04977d8f002efe5bd41927712007b650N.exe
"C:\Users\Admin\AppData\Local\Temp\04977d8f002efe5bd41927712007b650N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
48KB

MD5
c181f7f20ac84ec1284856c60b108616

SHA1
afd5240648041989243796a8ffa06c2dc5296f70

SHA256
789d5dfd8f51783106bd7a55b8528e4f98364fbff88fb3722e3bbb8475f35745

SHA512
9f2f507f6ceafda5bf0d398648e1a7c93d97e26dffa4d3b46b0a64cab756011ec95e6b9d2823be134a8b13edd27524e783d55fe7e14c6b90bc66aa87ceacaa60

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
1fc993b33935c70472e78489b77fe1a6

SHA1
abebc1274ac1e09bcd7d92ff50e008348841fe8c

SHA256
61f17b0c349ccfe2333dd6ae986606bfee30051ff091cb0532a118e0f4c812f2

SHA512
712a8834a4732facea39368a588d65faf612f89204873aee2635645e2259587b5ffe9cf622e6bdbd88526925562da640afc6d57e5568786274ae792091a08c01

Download Submit