7b67da1243ac4a19606455bc49147c64fc2c5955a0b4c10853eb5848f9071b1e

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79382659c18f04135af689aa97c55870N.exe
Size

145KB
MD5

79382659c18f04135af689aa97c55870
SHA1

6cbc6b6eef8fcb0e9b6c76e77b48f1f9751a1699
SHA256

7b67da1243ac4a19606455bc49147c64fc2c5955a0b4c10853eb5848f9071b1e
SHA512

8588b8ae0ed1dc9051a359ad7a9755011347faa3a65ff078cbff74312f7998cd831213c3e8b77ef410884399c978ae7461c2ae2b56762770efff5d3390412a52
SSDEEP

3072:6e7WpMaxeb0CYJ97lEYNR73e+eKZOf7f/e7WpMaxeb0CY5:RqKvb0CYJ973e+eKZOf7fWqKvb0CY5

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ta.pak.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.tmp	79382659c18f04135af689aa97c55870N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp	79382659c18f04135af689aa97c55870N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79382659c18f04135af689aa97c55870N.exe

C:\Users\Admin\AppData\Local\Temp\79382659c18f04135af689aa97c55870N.exe
"C:\Users\Admin\AppData\Local\Temp\79382659c18f04135af689aa97c55870N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
146KB

MD5
83cf31d00bdfffc99e0a52ecb7d37312

SHA1
0fc2ff703388dcc7980fb7645b15cc6ef0bee68d

SHA256
0e9d3bd9f509d32604d2f9c1025b978be5bcb3a5c6eaefc0529542ebca34df4c

SHA512
d7d43acb8f0cc6ac4fecd5200362381957717582d4c5ccf6453a965cf76b5b7a5c2439129ad8643dfb755fb64faf34276b4b050c5625b4f51dbe8ced41c39ef8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
244KB

MD5
d6bae4ffe5da66ea843e382dd7bb92bd

SHA1
c1f54b314eec9d2ec0e2fe274fc1d79f1197f059

SHA256
b1f298a9f3295bb18f2bcdb68fe8ae9db8eb9da673fee5d38a80289d2a0fe209

SHA512
854a76c0b5975f821e39cc21f36fc733cf7b1d3e2609275224bc44c8203b4c3360b1af2d43f8790ec77c8da5b3114d1f1d446a7493dd84e11b0f1ca19a587227

Download Submit