6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9

Analysis

max time kernel
150s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
Size

106KB
MD5

751c50b61df27930858583bd37e61138
SHA1

dc45ecc13fbd5c24181fe9ff9eca8c4e5a5e5d9f
SHA256

6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9
SHA512

66abf34d6c732c8b0bbfdcc014aa0d01b11dfaa3306db42975cd9a06102dea78af9f67df5153210eb9435ef8af04406e8eaafe040ee9b8fdf7366125f552cad7
SSDEEP

3072:6e7WpMaxeb0CYJ97lEYNR73e+eKZHfFpsJOfFpsJ6Xu:RqKvb0CYJ973e+eKZc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4842) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationProvider.resources.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe

C:\Users\Admin\AppData\Local\Temp\6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe
"C:\Users\Admin\AppData\Local\Temp\6517123ec5ad03d6a931f4a31ba16dcaa346a862cf198f352731050ffb83fcb9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
107KB

MD5
9df2f9a074cc75df1d300f5f6532fc6c

SHA1
4f5e450ca53d70cd3741af6498efbf879821d38a

SHA256
fc5f945dd4925ce6c5741c0a7ce0185bf6069e053ee663d42bc144ba7ec1d6fb

SHA512
a9c8648a318b7ccd4ad84e9330e0720ef19e229e2be5c2d9e03174fbdae807ccb4e60ef1e9ccc722d6b6374ed340f9f1aaa0d917285b9d6ce691b526a722f4b5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
205KB

MD5
36e3715db925c102885ad10299bcbc73

SHA1
27785dcccc7f75fa60d64a92461c7968989cacbc

SHA256
a3be1c4f295daef9b52e360f4768f9eb01db2f0d12ed435f60a0bc9d5e2e0084

SHA512
fc95ef782725cf7c4ef96a93ab4df55e658ec2cb2f3ebd86fb0774e14fc5279e0e19d6893b593811494180863d6ae2d3adeba9b8c86e473304d207d7432f7712

Download Submit