21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
Size

67KB
MD5

c8995a93b9a9a68d0abac378a3e09650
SHA1

a417a5dc5fcbab0e371fd87d0f3de5b01e61ad5d
SHA256

21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527
SHA512

0364d794c61dc280ebdb15d73a9b9bcf782aeff9d47535a4a50d2ef09d1ce44bedae4935975eee83ed7fb3536bbfa78797d02ef9cb2e9c024e8036da7ac69ed9
SSDEEP

1536:W7ZppApBULcfpHLcfpX2/Nw/NwmxLTopK:6pWpBwchcV2WxLTl

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4573) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jre-1.8\lib\currency.data.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe

C:\Users\Admin\AppData\Local\Temp\21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe
"C:\Users\Admin\AppData\Local\Temp\21e05ec1d25fbd8a6a56d330b557d479f1bad01b3a36b65d032cc56826b0c527N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
67KB

MD5
aa8cccc77e96503dedd1321bbf19cf7c

SHA1
486fbf5551f182291f604bd9902f82c027aa7a96

SHA256
091438a709eb308cd6f6ec397600d5e967ef6d1e552fbdcee6fa366853ed73f2

SHA512
0171034181d177fcb692f9c68530b3f8321e830fd90f57cba564ba9f9c390ced95721278d1a347a79ada1069db9278a45d5c7d4ae4fca425f65c3c8fd0d4a836

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
166KB

MD5
d85db1666cad28bed1ee4b7acc310eed

SHA1
ae14d77ffa9d1e47885c2fa47687e9550c239d37

SHA256
2e73e83b4f8f02d2fb5ef3c3f268a8d86ed6fbd5e6cd3ddff45d2ed387427ca2

SHA512
8ad132e828bdcb742694c8f30ef4acda13ec923f85d80291a93597222086cd1b1adef197af748c45a4afd01b9754672cd547e28853b70c6fc2eef3d482957374

Download Submit