7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 04:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
Size

62KB
MD5

a8747d275ac9ae1254b7897e0e2ddd60
SHA1

3787ed59dbf2057c860d859727d0812fd2ae3edc
SHA256

7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401
SHA512

4aa9183da5153964c0962d70ea4dc21611d9662d721300ffa7e2d9fb2878228b31f12c75a204c75e62ae900e4a5ae7b62a048f5991f1965c8a39d38b49d053fa
SSDEEP

1536:W7ZhA7pApw03vR03vcltdtSsU8Tu8Tmwzwn:6e7WpwYRYUtdtSsBcn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4634) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe

C:\Users\Admin\AppData\Local\Temp\7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe
"C:\Users\Admin\AppData\Local\Temp\7165bc7b1bb087bf871a41d4134c9332994eb1419026beb06ea40262a63e1401N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
62KB

MD5
725e165ada14524c2cc2887643478ba9

SHA1
44ea9ae7c3754ab4feda4fbf86a1a0406c8e054a

SHA256
eb7456575f57371bf8a3db244a7f305d256a6df1be1d25280c81ca16451d4380

SHA512
225ceba3e064fa7f97ef08c3ae821fac695a998a1165e326ff7e5c3c13506d49c8810a9477ab89523d9eff4f37c13250b4ee0537e0e3e311c786297c96b13ff4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
161KB

MD5
7c7731bfcd52bc3425e62e264103bbb3

SHA1
df2b21ff8cf6141da3b127ca97955e9b17c51b65

SHA256
6cd1cbdc39535b19646d9fc29da975efba45f39add8576b1fb077e56d62a9ccd

SHA512
cc124bc20f24981fc1661550cc7a149d80d24fd773927b42579baa3c481d4b25573880afd8efae7b8ef7383300751b286f1c9db60dae4d28fd06aaeffc48aa43

Download Submit