506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
Size

88KB
MD5

63eadbbd1cbe2af9fb510ff527261b80
SHA1

3ca409040ca1529faa76caf16b707e904eb5a4d1
SHA256

506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981
SHA512

9bdac8ca1c0b5725653626c97d6413be63e22a8fc13f4628fbd00e0d0c152d6261bfd56bb83228068c20ffb48d02c5684a5ca0619ad5888ce678168e36161866
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+ejy0Wjy0WzYH0taH:6e7WpMaxeb0CYJ97lEYNR73e+eGG7aH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-BR.pak.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe

C:\Users\Admin\AppData\Local\Temp\506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe
"C:\Users\Admin\AppData\Local\Temp\506fc5d7b1a14bdfa5adfba0197d45e78e18d082575c2bc71b24e79505847981N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
88KB

MD5
db59ec4ab2a6ac599094c08dcbb9b054

SHA1
623ba7f70022193342c0a329a66e8a944e2f1471

SHA256
0f2f996a1992546af9cecaa2235f1633bc3de347f34fcc52d0e0504bbf955686

SHA512
a35ba7651dde1a66f4e0dec1cf21527a358762a7a1ef665d51a6bf17cf724bc95e6edfbd362a431c04863a234341e2a6ebd17827f3fbd37e3468b1dc15e88514

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
187KB

MD5
ac4633e1b665a5280bb2aeb2bb214465

SHA1
3dd99b22ab227d43f6bf35aef0f1a948fe4762ae

SHA256
e861a29589e1ebc293bafbc9db56467fca75af1dcd21ea325c99aa5f2b639ecf

SHA512
bf664d90157e4f4b33d7d8b8ef235290c10909e9c340aa4955da99ec5ceac54db4c1ad775bcaabfb350d94778a76dd69e2c0591505a47fd7cf78685da56e35a3

Download Submit