ca5e8b9a6e4a591566fc1293db101f958c98e5c6478d7d165da2a3b1b1f20a58

Analysis

max time kernel
120s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 13:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

636ec104c04837f34b07127f3b0e9020N.exe
Size

51KB
MD5

636ec104c04837f34b07127f3b0e9020
SHA1

999000b76ae2970307f8ecdb043e4918b7ee7ab8
SHA256

ca5e8b9a6e4a591566fc1293db101f958c98e5c6478d7d165da2a3b1b1f20a58
SHA512

8c8f8fb3e35b3cbfd1d382726a1b51f21e4e29d615dda02f8dc97ba6a7db646124c5bbe00a749345afd84efab454abf6e0d9ad94d235efd48e2368664e8e414f
SSDEEP

768:W7BlphA7pARFbhM0KW2s9B4b09Xgd7jylZqzplknXGIIi1xgknXGIIi1xQ:W7ZhA7pApMaxB4b0CYQ3+83+k

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4618) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	636ec104c04837f34b07127f3b0e9020N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	636ec104c04837f34b07127f3b0e9020N.exe

C:\Users\Admin\AppData\Local\Temp\636ec104c04837f34b07127f3b0e9020N.exe
"C:\Users\Admin\AppData\Local\Temp\636ec104c04837f34b07127f3b0e9020N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
51KB

MD5
3178805ac174503e47bdefe72142a00c

SHA1
3718732753a1c3b85cc9bb6266eecdb31630e457

SHA256
a66fda027eb95efc9a6dd998c2a06ca4bdb13f384fef14a6cf7f87d5c57bdbae

SHA512
7596ac913362aac29d1f28bd0313444a9d42b43eb08731f5b221adb401059ba5e384257c83fe449456b3ae310bb7247a84b40b85ed66d26a1838619c4fd376af

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
e8ffe2bf34eec7669465f35d8cee365b

SHA1
7980650e009d6ded6c33f763df02f1766c05422f

SHA256
c5eb593e81ffa7e7624b6c5deb6edaa49971e04a92c1eb3577e8eeb167bef1e6

SHA512
1e9d2dfcd0c08aa3c74594f6a76173174c447dc52ecdc4ac4744d3c8dc0147bc7ce9b088b6598f0ca396df87ecdbe9c5b3081ee2ed188795336a3154551a352a

Download Submit