907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b

Analysis

max time kernel
150s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
Size

49KB
MD5

5d10e27b7a48c3fc916143edb72d2c13
SHA1

38553181c662695eb387c5434eb1ebfdc21bbb3c
SHA256

907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b
SHA512

75d6529d9d58f62399031c14c7b4fb56f42c7757b5ae85befaa4007322974bf447de889cc356cb5f5bef73994de57c09bb2909e176fbe23b1c7db7b0536a5642
SSDEEP

768:/7BlpQpARFbhfyiyooa0OMiJfoa0OMiJ2kAHAvmdGwmdGD:/7ZQpApHz8kAHAvmdGwmdGD

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5029) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\BackupInstall.3gp2.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe

C:\Users\Admin\AppData\Local\Temp\907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe
"C:\Users\Admin\AppData\Local\Temp\907435b8529108a6cbb061374e7021fbc6ad4c3bb7aa49c186643f995105cc9b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
50KB

MD5
754fe9a04ddbd62826ff77d5c067fa38

SHA1
185f89668269e3f1158e8640d837376ab1e03706

SHA256
a54d79fa225d0f019ddb61a9f79f6e189be21993dff0e21ac825db0921b6d21c

SHA512
2e05f3db88eda45c53b3bb18df5576fb7ea2821df39140ae9637d25e0323a65ea939e81b945d18114c304e4b900e7bdb9e8afe52db7903286026c25b5eac8e51

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
6134f90c08e0ab5ac5adfb554c89fe11

SHA1
11b60924c153e03cc6c86fb119be9c7debfd7c9a

SHA256
1ed363f490ad681861cdcb7ac08236ac7d884b1c793a7969955bbe296bcefb25

SHA512
318ca1b95cc5efb82ab7cda5fb198d0a00ef057282c5e9466b01fa48cc5bf46700d13a3dfe1f745809bfdeb7878c426d000f18acb1e26e9cd04dfe6b6499fc34

Download Submit
memory/1860-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1860-924-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download