c65740a0ac5747d6ef9b20916bbe2691d3303ac18cbebfe4a6a582d50084af0a

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4493184dc55f64c3887b48752a718ed0N.exe
Size

40KB
MD5

4493184dc55f64c3887b48752a718ed0
SHA1

fcb5aea477a3b95b607528be82f10fe40ba87e13
SHA256

c65740a0ac5747d6ef9b20916bbe2691d3303ac18cbebfe4a6a582d50084af0a
SHA512

7de7660898cf86c952c13664ef2250b8ce0be34037c4c6f7cc464ab15b89ee93039453bde43b217fdaf1732bb381c3ece83d8e2664a406ca1fa33284eadff73c
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5ltf+X:W7ZhA7pApM21LOA1LOl6AE

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.tmp	4493184dc55f64c3887b48752a718ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	4493184dc55f64c3887b48752a718ed0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4493184dc55f64c3887b48752a718ed0N.exe

C:\Users\Admin\AppData\Local\Temp\4493184dc55f64c3887b48752a718ed0N.exe
"C:\Users\Admin\AppData\Local\Temp\4493184dc55f64c3887b48752a718ed0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
40KB

MD5
165eb3a7d06a986a40a00c92be4988a4

SHA1
87a7894b51ac0400ae50cf64a40829ff24eee75c

SHA256
b0d646d4c466af6ecb36a8e01d1e81bf851197213ff25b566d4e17a62fec54e7

SHA512
eeef653c344a6f5609edce13548ad7dc88eee180b983fcc6ec96e78edf1a1e410a2af2493bf6ae2197e198837e1b6dff50f904734362702b24f7df5d54dd7d42

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
708acc5fa381ab3c013cbfea588357ce

SHA1
e531afdfa7da09e23b2c8fea08517779b349b85c

SHA256
26e2ffcbe03ec633d135a80a3845c3b17aeb18e6c1ba1c3826c2888aac94b9df

SHA512
8dde1c22573890c08150688060a1fecde6787e79fc508bd8154ff92b8f2ce3ed21c27d75e008e3757def7f98bb39d1f7ce47af028a1cd20d8e6f466464ddbeb3

Download Submit