24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 19:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
Size

169KB
MD5

0bf0dc5cc56e511eb17b57727ade797b
SHA1

399edd9663bbc71877fcd644a42fcb5f976e4cad
SHA256

24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19
SHA512

0e3b16be59e27e54d5a3d46036a1e4088d93fdc0741319e3a5014aafcb537e833f9508dd52b7f7481e5936454792fa724ce12a0bc3ff6dafc0f63524c6fa367d
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFMEhLfyBtR:PqFh2Ie+eyEuFF25e+eFL

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4792) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\concrt140.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe

C:\Users\Admin\AppData\Local\Temp\24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe
"C:\Users\Admin\AppData\Local\Temp\24753251e130fb6ea48e9921bf8698b985c9754981bb3d1e992ac917b3557a19.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
169KB

MD5
214cfa2f819dcd9622c44b332c086158

SHA1
c444d96409bb534633638c71c2cc8f9ca272ffcd

SHA256
f11f118c410892fbb91f85f1a7d1605e2305287e9a1c4605248c69ac1eacad7e

SHA512
d53bb8879216f455af9455c5b01a2c52a41180281564247b91a887758849c710bab0736f533b84cf0db1b613ae51513c80dd4068986c5c98ea736e3ac527655f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
268KB

MD5
6c938165d3446025567f2d3305a20524

SHA1
1a21e3cf3e9e02e029b137b7d4cf8aa77e7e1a21

SHA256
e47acd29a21bfbf2fce1464b551973110e16ecf3454dbd4ea3caef659be56395

SHA512
b8e55abb033ad32eb502ab771373aa54b294de60009c1a43116ce2839cd2ad0f33d85c937abf9d1af8270c1c54eebc2666c7baf94e162a81ed4b889d959095b8

Download Submit