a26b108197a62170ff6d75f69e0b631c92f1e452a5ba31dd9f3f59b12f813e28

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 22:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

75bc40eeda67a6ec35016308f48511b0N.exe
Size

61KB
MD5

75bc40eeda67a6ec35016308f48511b0
SHA1

80997d240b3f082c97d6067ac87915039e0c45fc
SHA256

a26b108197a62170ff6d75f69e0b631c92f1e452a5ba31dd9f3f59b12f813e28
SHA512

c9370d1e472c5fb6669a5ce241480e72b6b767ab8ac52e45d110c13e8da1efa7077bae5382e533e07cc1db488606facb5c87afd5780b9423cb39d61ef13ca4eb
SSDEEP

768:W7BlpppARFbhknrzzA8JQ2AdJCzA8JQ2AdJcUYU30N7AVn0N7AVaYr2N2ZX+910G:W7ZppApkxUYU30NQn0NQaYiom

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4645) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\ApproveConvert.cab.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	75bc40eeda67a6ec35016308f48511b0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	75bc40eeda67a6ec35016308f48511b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75bc40eeda67a6ec35016308f48511b0N.exe

C:\Users\Admin\AppData\Local\Temp\75bc40eeda67a6ec35016308f48511b0N.exe
"C:\Users\Admin\AppData\Local\Temp\75bc40eeda67a6ec35016308f48511b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
61KB

MD5
557be1a7c351452cfa6b4a76836fcf63

SHA1
c706e1338006525bfda914949a5fea0ea32b9608

SHA256
ac71a525630c3b027e16106d97c4498d154ad0b4ad6c8032e449097b8008fddb

SHA512
4064900a83f8141260162aae512874623e7f23dd7cd7f8e81533338c7450008657355ff048c1bbdedf2dbbb6e9f3314718f3f199c3bbaf32fa597e6d18176a7f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
160KB

MD5
ddf3ff89dca98847a163c0b40a0da85a

SHA1
ced0d1d1a425577faf07db615692ee223f6200be

SHA256
f2fd2d6ac84e32544f48de2f846f5416492f42b5b5dfa6f8b5d4b61fce138142

SHA512
7cbe655a94952448d80314aebe0e6cf9d28d3cb5f988b199c9e3d24144e42e57a8ad8603c0f7f5106bd05a77d0bcb140e6e8d49d6c9f0035d45f6a1adccfccb8

Download Submit