dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
Size

54KB
MD5

1fca19760cd6a3f477439084f94d96a0
SHA1

8ad719cd18f2d0034a95029e6798af7546d1881e
SHA256

dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992
SHA512

ce6a13534933422a5313575b7902a8509fdc3676faa2ab30e21eefeba0c9552a4e3619472b018fc9dcf26c8332d5fe5b1477ccf9f7d134ff6d4bb895e30a5584
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lz/g6sHzcXHzcC3OTHThLi:W7ZhA7pApM21LOA1LOl6l6YzqzV3cLi

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe

C:\Users\Admin\AppData\Local\Temp\dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe
"C:\Users\Admin\AppData\Local\Temp\dbd1720ecd011ec227addebe1062780bd580e29c0e9d639634114c87c7219992N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
54KB

MD5
b3b7d7c2585fed3f0e99f17283e7b230

SHA1
0e5b31f47e7f39d1432a3c596b0d0b8a68f926b5

SHA256
fe06164fe9b2d09e4b0835147faa63d82054d0dfb9bb419dd03fe5af086004b8

SHA512
941420348c711842767bf1168ca8411f2171b459a6717033290f6ebcc6e24262faf433afd4711847462787114faa4ce0e27deb96fe4cc793f06464b83f43ae39

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
96a52b2f0890e648d1d51530327389c0

SHA1
d0fd0e49e3fd4baad8d0fe0659aeb776aa5b0854

SHA256
b704c4025fbb83a8d03700700b124afee22ee7f29b957dfed363fe7c00c84ce5

SHA512
deb4891d41f9b84fbc7db509584872cb2f8ede1a85015283b0910addc31d50ee4c57c8877483c2d12fa1b7b48e9171ede89510a12640e8530cedfd4f251549e4

Download Submit