e0e3abd9be3d1da5dcdf3f7458860eb1664711b83b5715e9213bef5e3441f5c8

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e8391d172562170fb1e40a5f16833b0N.exe
Size

59KB
MD5

7e8391d172562170fb1e40a5f16833b0
SHA1

bd6a5492563c5a726691a460d8fffc53c23ada28
SHA256

e0e3abd9be3d1da5dcdf3f7458860eb1664711b83b5715e9213bef5e3441f5c8
SHA512

81cabc70245c7313f82bedeffaddffecdff05f194890681b6028707dc2dac035320712a4a22699ccb0180ebf9851d8530e7a3e4c0f58a83f1d9a8de1b75111f3
SSDEEP

768:W7BlphA7dASbS7EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeN:W7ZhA7dAynMdyGdy7YRYWaVowfaVowV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4680) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp	7e8391d172562170fb1e40a5f16833b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	7e8391d172562170fb1e40a5f16833b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e8391d172562170fb1e40a5f16833b0N.exe

C:\Users\Admin\AppData\Local\Temp\7e8391d172562170fb1e40a5f16833b0N.exe
"C:\Users\Admin\AppData\Local\Temp\7e8391d172562170fb1e40a5f16833b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
59KB

MD5
8cd7ce23ca4e52af6c063d81164662c5

SHA1
4d4bc38e6e17398440d9c14ccbc4d005307f8b75

SHA256
8064e8c2c3493f1292e60f4e3c6a22b9b0360989a51853accc9a0bf4283055fe

SHA512
4c0a9784a6de225a70292a4edd6cab9e422d46ab27ffdc3ea6c895285f00e294e691cf8132bc855ea8bc64e40095974929da8554f20d7119d93a9bf33492508b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
158KB

MD5
f38c8a8c0375cfba3fdb0d05d9d6c98e

SHA1
3547613e29e910b8385bba0b8e9dff2aa63bfa0c

SHA256
b22f8c3102c3c890992011f06e481ebef04f56649e7fb57d7c3a1a00f7752745

SHA512
5e5c843ae6abcea4ec9cd409786d632c53cd824cea075e22505971f760008d9004d311555651aa5c4bb7159c25f51d067e3330a6cbe3a31b5f77934148d8897d

Download Submit