45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642

Analysis

max time kernel
31s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 19:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
Size

168KB
MD5

5259dd176f790bf589b6cc770ff33d6e
SHA1

b999509fed334cf3bc149796e115ec6c39e05793
SHA256

45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642
SHA512

808995dce53b8614e1253548f5a0c997aeffcc3278a88d18174f0ba968aa57159a3913d814ce6ca839d2c7147d5cabc13d69682a06355be64a197801a937a744
SSDEEP

3072:6e7WpMNca3rytOkWpXfnYRl2l/9HSFHzJ0lBt:RqKB+tOkWKR0iJ0h

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (807) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe

C:\Users\Admin\AppData\Local\Temp\45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe
"C:\Users\Admin\AppData\Local\Temp\45cced02005d4a40e0e5fb3064ae46c64b7210c70a0628c90deff4a15f1f4642.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
168KB

MD5
c6b3764adcf36a8501c2ec3569fea88e

SHA1
de3e014e0a989315a7de1969e5ae836b5cfb2483

SHA256
493bb0503974f4ac9d5b976cecb69a4e07ab95b4d06901fd82e40a419327ca72

SHA512
bd78138c458043403f50c2cd626f45d90195caada7a131eefa2966f014b5b7c0b75d97bc3805abd56d6c4a77522fdda2e701e60148303b6c1118b0d000868f7e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
267KB

MD5
ccecf4992ffe282007ab8885464a7909

SHA1
a68939b4cf5f740fa6d081d9a8a85df3b722cf6d

SHA256
9056bdecd25b158ccb216040d84dc5ba01e4735c2d31e6651d38c47d3cf8d9e9

SHA512
5b40454d5b59b4474cf35d899e66e51df97b0bb005de1cce925f72e89506ea90d0c58b220ab493cbe2b1bb592b18be02cf44e6d1b51b11ba420cbcc687eb6483

Download Submit