1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764

Analysis

max time kernel
31s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
Size

77KB
MD5

463ec7d474d3f5017c03c54006054500
SHA1

2d06471621cd7f0276588fd46a6779a531a11476
SHA256

1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764
SHA512

8f554a6a7d614a8c72c18d978f7940cde8fcf93ec1f3086f92b8984c2167113cda0d1e026b8073ed55798ddc43cba3aafda6cbc5060950554cd00cf949e90c1b
SSDEEP

1536:W7ZhA7pApvOsOKM4HBhaGwOQ54xEIjlf9xc:6e7WpRaSljZc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (926) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.JavaScript.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe

C:\Users\Admin\AppData\Local\Temp\1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe
"C:\Users\Admin\AppData\Local\Temp\1799a11966c966847d595a29521c500fd42118176200b6eb8047a72b36315764N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
77KB

MD5
ab590a7a62f17440016bfb08c772b9e8

SHA1
0b0cb68e7f691e478bdcef38e27de316ae056fee

SHA256
a9bbbfc1e5cd39e5ae681dae0132c11bd3ad8fbd3908837654055c84f3dd99cb

SHA512
fb5a84da0cd12e4645aba2e71bc3800dd49937f0d7655da067e1993224509a88b53b914d94de9193516637d9c6f60711b1737071ba3fc34e5e0f0a4c30e199b1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
176KB

MD5
ef9c290ab68c81b6136d86627e7db78c

SHA1
8f19be8d1585f9456572ce4e3f057bd09fed63e2

SHA256
bf038b3e7aeb2dc8a539eb1980f91c7d5ae5b52a0f9e86f45813395fb2095e17

SHA512
f8dad03337c60813e258a4bf066a365e1d02e3b5e9fb59c6bc0a61d3112905249fb58c5d0fa3feec9d74a4d7590aadb04c06820f1a2bf08eaddc2b77895f25d3

Download Submit