d5f5148d86595ee3cdffdf27e7bd0b4302539eb764a44657a8e2285a98c3d133

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

635e4c0f6d10f374bd1948f660b09eb0N.exe
Size

56KB
MD5

635e4c0f6d10f374bd1948f660b09eb0
SHA1

cb10381b3a15595f6a66c485009dabc08469753a
SHA256

d5f5148d86595ee3cdffdf27e7bd0b4302539eb764a44657a8e2285a98c3d133
SHA512

6089e48fe79d67b2f5d3205ec6b28d1d5cfe6a80d764259262119a00853d8eed5d5f35473829da8448347811fef6018a1bce5a8fad9764a4a961da827a3b8518
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOd+QR5WAnWAE:W7ZhA7pApM21LOA1LOTRjtE

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\C2R64.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	635e4c0f6d10f374bd1948f660b09eb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	635e4c0f6d10f374bd1948f660b09eb0N.exe

C:\Users\Admin\AppData\Local\Temp\635e4c0f6d10f374bd1948f660b09eb0N.exe
"C:\Users\Admin\AppData\Local\Temp\635e4c0f6d10f374bd1948f660b09eb0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
56KB

MD5
dabcbac2557a59faa3639a351666e3dd

SHA1
4d85fbc7109b2c33b565422cafb8049e89d1ac00

SHA256
6eb91f699aee13ee1efc48aa6a14e7f029f634d6cc583bacfd1677ad57d22f96

SHA512
fa18e27f7a28586517c422a4b974dda3821dacbee946a8cc7ff8d77079fec5bf4b76f6e2f52cdc136b6d9dd59ea68e6c91f73fa6334448b64664d08dafb95e27

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
78f38950dc918574027a1d0d9deda853

SHA1
a044fd18fa4cb55343c48ba150856983749fa5a2

SHA256
0d264d28a942d8360dbb383c0697a0b09d8fd5436f0f004e2022c388daf1cf16

SHA512
2dea48a365c2ae19e0ba61f14b761123bff411c0e8822fe8068068149bfeb7a38aa8b666e9cad7601aa88d8c3af71a081912b3001fac9558b16bd851103739d0

Download Submit