5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
Size

51KB
MD5

dfc04f6a1485745892643fb278aad720
SHA1

490ca89a331d76c2330b2ae75e44177df692c678
SHA256

5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707
SHA512

b1302bb45941e1c88820c942643f3012426a567cdb7ca27f5a66a13a609ffa8ae83db7dd32c2abd3503d5933205735334b46d8e99502b2b153252942570e82c9
SSDEEP

1536:W7ZhA7pApM21LOA1LOl6Aj8Tu8T1Rxew2wQ:6e7WpMgLOiLOAew2wQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mce.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe

C:\Users\Admin\AppData\Local\Temp\5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe
"C:\Users\Admin\AppData\Local\Temp\5c75298c948f2ace0d7669b435452719d974e7577d7b6b1859b241a118b7a707N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
52KB

MD5
721e3516c94f3f08a93ce9e0c9b6468a

SHA1
ec3d0b43bc3d55746bb298cfbf169339894466a0

SHA256
3c55d0e1e61f484af2767b2ee27817a874cb0dab4aba4f71c06a6e4a258ae085

SHA512
f0554d544307759858c9412878b8d2df3e0ff379ce282dbe252bc602187b10e767dd94a8e0505e4d1bf176759a3344e4e6081a9d1d94941061deb995412e19e2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
3aee69110ac69014a59fa563b60cd95c

SHA1
be4af6f2e6538e6356c98b03337cca09d1425657

SHA256
5a5bd2ea9c50d3328d69aae65c3d2e88e2c20793dc827499d6a1ee97cc53b850

SHA512
7b8f39ec623b29da3bd8f58e7feaa2e619cc698a17bf2dd7478ed8b3e2c33ac0afb7df212bdfa9dbb8091e029e73f49b86bb1aba3899b75f3deb7e616f37e3a9

Download Submit