07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
Size

48KB
MD5

923e97ace5fae0d381901d2407183660
SHA1

eb90b11ebd28a69dcaa490d2eb5353979004b149
SHA256

07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750
SHA512

231e623a1286534573891c5cee44f2e40f1a6cbc9cf5917194d762a2398bf24d4117f0a6091996928ea47b79429cdd47ef72e7f5bea5905f36aee7ad73191301
SSDEEP

768:W7BlphA7dASbSjJJcbQbf1Oti1JGBQOOiQJhATBWvyBh85c5B:W7ZhA7dABJJZENTBWv36n

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4649) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Extensions.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Resources.Extensions.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe

C:\Users\Admin\AppData\Local\Temp\07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe
"C:\Users\Admin\AppData\Local\Temp\07c24d70057a558f5f0564736a8c6ea1e6db5dd371f0ff749e419f256ac9d750N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
49KB

MD5
bb4c4be6ccd75df6acb56d5d7d9bc637

SHA1
d6427e9a398b7edcb013ab88a53d56e749e81a7a

SHA256
f8f738df89be8d216659d9898b7640a0f1b83ec8e683cd420e5685fc49dec890

SHA512
1291d89a3b0afa4611259497aba4788d0530ec0c5d8db34239d2b0d49d3ad388604319f10b4c68258ff084b4ff16f9581592c3bc31bc3db5dca2a8bd80fcfa4d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
f8045ff7258063ca11f15a0ca1f0ecbf

SHA1
eb58e384f36526c98d446adfba86f2c5750db1ce

SHA256
e731b81944c049fc29f941fbf0903842eda02cc422357c4a691692eb51d7ce6d

SHA512
ce3d12b3df059d2104a8442aae44eaa063000bc8f4ee6daad6ae2a477e4b0d71dc101e31b2eaf39bd74e13c157f02b466e99a83cff8c22d5da126591a8bb7469

Download Submit