7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 21:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
Size

47KB
MD5

700148b51987e1b6a139072785364d50
SHA1

03049c0f1315617914e7e62f6b08da1b2f141789
SHA256

7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7
SHA512

2b78cce2f3d4f1a8e84e37aac74294c86418573163d2e93d3772e4c8b53b60385b59ca0a9ad58de1287751ebc863c081fcd08475106315eb6123eb39a4c7b7c3
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1itvtKZqZ+:W7ZppApBULcfpHLcfpSo3fstvtq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\LICENSE.txt.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe

C:\Users\Admin\AppData\Local\Temp\7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe
"C:\Users\Admin\AppData\Local\Temp\7cba03004d85acbf4d89b18a84ebb9e3805522f73609e608716d90db525709d7N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
47KB

MD5
7210f5f3aa2f795b6c3b0602cf716715

SHA1
48429df1801738643666322ab1d237b358c52602

SHA256
9b1649242fbde242728db92a38e56324d2243e2a108af9875cc40f08dd53d1c7

SHA512
aa20ca99efe4d204ac5cbb34ab059774dced41f7a5e693ed44b102b1062ca18dfba1c906764f07a00328fd58a23b54acb9ddabd1eb40e5fadd9ec755559ea473

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
6de3aff6a3d0416474ba4207ffc9dfe8

SHA1
249542a2ca016ca26335467bbcf1343f9b10354e

SHA256
43fffb28a7e3b1f821285a34c37863e4030576143ad9872ac0cbe75ed6b34bd7

SHA512
dea7b10985c8f98d494925321dfce9cfff06782401b908f615f8b25fea578bdc82e9c0fd332a618eea9da3d1850f95c84e1038b38a98744672f21a50a594b4ad

Download Submit