7214080e6c5017e6cc075d2a868f00f647486aca10c0fedaa62ca02cdfef3f2e

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15b2e189a5d544eb3b35fdf206061270N.exe
Size

40KB
MD5

15b2e189a5d544eb3b35fdf206061270
SHA1

156ab479917f5ea487d022112782ceeecb723219
SHA256

7214080e6c5017e6cc075d2a868f00f647486aca10c0fedaa62ca02cdfef3f2e
SHA512

d7c439992e052232e25d9f1ac1afb3dde0a3215dba9df0cceb14d49761b399ecde0266e28b36f05203e6d5b7fbdeb639952daa7b102cdef1bc38d73916fe3c2c
SSDEEP

768:W7BlpppARFbhjbhPKueKudLw1LC5XQozeK:W7ZppApB785XQoZ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4665) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	15b2e189a5d544eb3b35fdf206061270N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15b2e189a5d544eb3b35fdf206061270N.exe

C:\Users\Admin\AppData\Local\Temp\15b2e189a5d544eb3b35fdf206061270N.exe
"C:\Users\Admin\AppData\Local\Temp\15b2e189a5d544eb3b35fdf206061270N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
41KB

MD5
36012c87f1f6b849bd9a4b55506cda9b

SHA1
51d02f71637aa6c1a79d977fbb54856978c467b9

SHA256
dbc2b880bdcab8707fc9936590900f13789b6180b22aee65c70a27d5cb07bc9d

SHA512
a9719c9089a80397519bc12730fc462350920ddf4a67c5139e9299a2b6ad8f0765574b0e3b9eb4efe805dbac95356bea5298b879a05fd07e793f4f526fd729ed

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
a6708b8a597b0652f73bf53e6caaa053

SHA1
f093a55ac0a877e51f7ceeb85faacba61adf5397

SHA256
0eda1bed6f37977d6905473bc3fcb17e9a7ad588057148f71cf05db9661dd2ae

SHA512
39f3fb5af088e6daca06e9dc25d9860f28df77ffefbe5f577b2f6d537f09488ee43cff8c258d2e07a816d3a8f0338d96368458092a554a7accaff50693ca3f2d

Download Submit