d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437c

Analysis

max time kernel
119s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
Size

37KB
MD5

aee0036d5e74dc3c9bb63a3d6419d990
SHA1

916153131d1b8a311d81661e5ce2ed4e858ec2ae
SHA256

d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437c
SHA512

076fb84d34e8aa6e7d0ebaa84d800ccdca6ea9a9070db013288e0efd9718a48ecfa94dbbcd8ca18797d62023acc23e67c95741451b04840a38fd87d35c5e7685
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5ltz4Q:W7ZhA7pApM21LOA1LOl6Az4Q

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4677) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClientSideProviders.resources.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe

C:\Users\Admin\AppData\Local\Temp\d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe
"C:\Users\Admin\AppData\Local\Temp\d616d5bc8f38d97c1e324e11e785040d3183f11c212e9c8c629be0cd9587437cN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
37KB

MD5
e544062e74407105aae0baa190e15b65

SHA1
280cde1498d960e70c72b8d27afe100275a2edc0

SHA256
a2a3c0dc28257a0396469a584ea5531466ef093865a1a9d5d687f28803f855b2

SHA512
ac6c3ad8bf222ffd946c6dc3b9cdd76a945f54bb7db29f45d70ee3e4642bc6ab662b026d9ae527dd1ae5707cb7bd1e7b50434b37ecd795f87086f7124c4d5306

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
136KB

MD5
fd5545afcaaca003fab901eca0d19736

SHA1
a698e7554b58d21c691f131a98171e39219e5bf6

SHA256
ccc3c211fee3608a514a4f090e664627e91ab0260cb199692075969298bbe111

SHA512
978c3a42ac1ebc9b54b2205b351ae671c81705211cba637ce4643396b68bf58bd520d51a166a943fb6a105c181cccf559607e4f0fe6480e8dae2033c5e3fe284

Download Submit