7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936

Analysis

max time kernel
120s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
Size

74KB
MD5

13c4cc6c04e313634ea2a90a15fedf60
SHA1

9148af319a2199399ffd66aa11b410a89d49d027
SHA256

7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936
SHA512

daa70be3cfcb853d06b9f801d50eebf5363cf14fcda50ff6ec1e4160c493d396cc67bc2ec6b18d5da27d95c940ba671ae5744b6f0c970df8b32d41a6395243ac
SSDEEP

1536:W7Z2sspApkZrZ4+fU7lK1lKT8/8yNCNzdwEbdwEgcR:62ssWpcU7lK1lKgkgcR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4294) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.tmp	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe

C:\Users\Admin\AppData\Local\Temp\7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe
"C:\Users\Admin\AppData\Local\Temp\7d057f4c616ed2a056e9e0be245e53e08442e9e725989fe2428f492254f99936N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
75KB

MD5
6669abb3732e14c9f332c6a99b3823e4

SHA1
5227ba50132c8f744d4cb24462b35fc4b513c6ae

SHA256
f2f65130f6ba0aa8a77f2a52fb26197bce385434c585a44cdc3f001e94f93ff6

SHA512
eca53113dc221afdb01bf38293d3508a93d4fd865b047741cc5cb73a853b8512761baa3499f47a22824cbbcda461f49e3c79e9a07132f7b976d9a41b7a89bc2b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
525ff221923cb5e04a711e13b2fa9eb1

SHA1
cbb88928d50464f92a4efcd127b968011737bb04

SHA256
fed77382fa5fb32ea2e0fab6d26079aeaf71ed190a94e318f70b9cb153fdc1d8

SHA512
c9b8e1c9ff16f045433154dba378f04608d5805ee62bc0e6a2513bdbdc93c8891b68f0ae69edca1c8852206bd4b56738ef537e89ed0b1a8942772ad756b7d65d

Download Submit