1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547f

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
Size

89KB
MD5

7d91b231801f86da3edc75974ee43a80
SHA1

5262e6874e861fd2c40b28e2abf284b493d469c4
SHA256

1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547f
SHA512

6071f01e38328bbe627a6a246063f8be5f67d4417fc193288133a5e33a56d7f793af548631ec5031106362996382fe56ab0b224c30f074a9de09212aee27eb96
SSDEEP

1536:W7Z+pApfGQ3y3RWvfmRfm9sKsSd5GT6SsDrgg:6+WpDfmRfmh2TSDrgg

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4865) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officestoragehost.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe

C:\Users\Admin\AppData\Local\Temp\1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe
"C:\Users\Admin\AppData\Local\Temp\1313e2c58565595760ee965daef570a780ff49a27924ad85f48dd9d3a819547fN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
90KB

MD5
f3b3359f07619bcf0ee1ea29b50d5fa9

SHA1
92056d4616d8135b3938761a9c1c5e354c7a7fcf

SHA256
bc7f9a356948501c865a4db074a1cb47a7499250ff9e94402267da2d04ee57e9

SHA512
a154c1b7e41d074db7c140586322efec8008bcc441439625da4ed3c3202ed7dc9fc0d31ea395d4653967e17fcda161709c8aab8e3db1a7490a0f0ff048c566ff

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
202KB

MD5
1d65905849be39e61cc583a85cbeca2d

SHA1
4d57423efab899ef8d341c75ee2f90eaab4f9aa1

SHA256
afc867ae5581b0a8ea7728667eb619d617f2ebdbc3f89ca74f22ea9ba7d6dc90

SHA512
beb3e0cb34a0348f337b76b8f6a08c32af4c2689e274c486296a675c85b4b7efecaa1bdd4eba3c508ca1651f9c73e307f880d268134cfa8a8b4a10718c25ebb3

Download Submit