5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
Size

40KB
MD5

fb39c212c64083d4dc8a65cb2d8fc050
SHA1

36ffb71d0be7eafeabbbe2325c9e517420385b3e
SHA256

5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49
SHA512

6be595b3a7e0ae8b996649686bc50750ab15e2bea5cda0bfa5a9418009703052c9e0109de0344f5b97c136c4e7d76942029c3e429b90fa0a5ce0c5c90706f8cc
SSDEEP

384:GBt7Br5xjLdbAAgA71FbhvU8g0U0fLMzyKbNzzyKbNWkq3DLXakq3DLXa:W7Blp+pARFbhBgnKLMWK9WKD2N2a

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (339) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\ImportRegister.ram.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\OmdBase.dll.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe

C:\Users\Admin\AppData\Local\Temp\5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe
"C:\Users\Admin\AppData\Local\Temp\5201dc7a82b2f17268b50887161a59d4e7af159f24248141473ba1b2f866bd49N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.tmp

Filesize
40KB

MD5
4bebbb48a49ff25d9e6fb9280682b13b

SHA1
f12ae27265e9925f419c029c2844d375bf200993

SHA256
0524e775ed03ced2b6c7c95eda70ec98d5a3861dea1be708b7e50ea0a2560baa

SHA512
770b86e9341f7d675fb3f9b54e20c391c8790ed4e08676475a894d9a06ea0f1b3be6d14be8b0ba7053c28f8f568ff10d4dfd72a59f673cf36d7bf05f375c1d03

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
49KB

MD5
478dee6c80bef2762d43c63d6004f72a

SHA1
2d798d79fa90c1937a56e9ac046d2e44e0b7e779

SHA256
03fd72f8bb667fd2df2c6f68e53f677316b959ec1b4ec7af8b496ea84f5aa9fc

SHA512
62a8a4683d2ea9e140eb7b630e5069c3b6988a9c65c1d99063ef5edc09899b188b99b2b028eb8a2c4385c14b13baad4f2b4d5cc564e37dbae31efbc441b50e43

Download Submit