efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
Size

49KB
MD5

65ce0ea32def27c198744b9bdedd6e54
SHA1

7a411f05f6a7cc078e51c842adc09e2305178918
SHA256

efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e
SHA512

f33ce8b063703eca1178510acd2022b9bf653b92b9360e8ffe7aa02f4e26be8fb4a2b58329589a2dcdbc2610e7a949460dd76961f3caf07178645031a39d3da8
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLcX4pNX4pRbx:W7ZppApBULcfpHLcfpyDgpupH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.boot.tree.dat.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALN.TTF.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BRADHITC.TTF.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe

C:\Users\Admin\AppData\Local\Temp\efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe
"C:\Users\Admin\AppData\Local\Temp\efe79f67459c8ff935ad6408d64b72d3e6c4646703f7357b11b82cd6a7b8236e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
49KB

MD5
c5ddf834540e136f35f30ef30f5ba29a

SHA1
e476256a8195b1172e69725d4172ec6c3e901e30

SHA256
5817f11888e684679fd04cf65ce1a68578ce25bdf137f223a06e515181bd1f93

SHA512
a8db133a58098309d6489c35b052ec44a8497c745724b383a8dcc6d428d7915fc855b04a440ea7d24f6663539a753c5b4b4f455ff6cf93d2cc2f8b751246aa9b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
4dee38b245092dff623723342b5c0f64

SHA1
f1650aa29805141e3f787133fdc40a5a0a922856

SHA256
1a0c0bf1693af36ed9a258c79c955b90569d3e9d9ef38ba7b1c2003648c35e7a

SHA512
2877b549a144d1dd8a1664100fe6f4e87d9d070d1ab189f8ed7451db01e8827cd5cc947fdd94d68106577df2fcf6876ee0a3eb2d5bf6e13ea7ea678f6db8ca8d

Download Submit