250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2

Analysis

max time kernel
120s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
Size

91KB
MD5

a6e1c1f299a11ba3bb8dbec1b906bca0
SHA1

5f80da807601ce480cc147507b97cb965698c74c
SHA256

250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2
SHA512

94da5e8f0237dac6f1f56ba8b8600fad9435f3e005b770a60d78e7f946745ead5060a3c6b00e42cd02926f8c133023d8bbc7abe254bfc434295399bacd17ce94
SSDEEP

1536:W7Z+pApfGQ3y3RWvfmRfm9sKsSd53tjWC4Z2p:6+WpDfmRfmhHtj94ZU

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4305) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe

C:\Users\Admin\AppData\Local\Temp\250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe
"C:\Users\Admin\AppData\Local\Temp\250a5db81e5b9967a224aef1fa07902866238ddc1f7801491d923b7c0ae7abe2N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
92KB

MD5
4eb5e1b814540409d2cd1cf91481c7d1

SHA1
1fbda0c529177ed48d9cad9e173049a21f86b356

SHA256
2f2e6ae1454884db3f19322a0086e1546ceebb7666f73a9cad92487f3a8d04fc

SHA512
4e54f20c6bf3294fc847ba77700a4a8af704fe24c36307b8df4110f8e72a62dc5145290c3f6691f125b99872eb7b77a5c8f19a2d0ed2681bd77a49c04ec7d264

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
190KB

MD5
a1ba3828ccfd3db4417a071d8e3fd32d

SHA1
ede6d777a0a874d96ef162f665c92cf57524c822

SHA256
229a9cdb1cd55e0450158580584534a9a4379ff3054d07a58d11ef567fbcc7b9

SHA512
14bcfe2aa8a05a1453018a1c9366555ccb96e04e50bd12e207fa9889114a1ac2c5bd8488ea4d4ddbc080e396f5617ede19653eadbbad91b0697f4dbd7f389361

Download Submit