7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 23:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
Size

89KB
MD5

36c9ab33d7af347571e6965d8b59bc22
SHA1

28d131e0b1d2da317df9f34bedd8c6d466555d8b
SHA256

7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda
SHA512

66a30956d44ecb092b3bcf33335522ba38085cd2d8c09f73d7d8f7ac7a2ac285d5df3f7746c2c2eec9c70fae99c37b9af680c80899251085fcc0193bfd08d508
SSDEEP

1536:W7ZppApsJNg0tdlAX+zq852d1F4V+kw2tJKi:6pWpkuK4+bE1F4c2v

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5034) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe

C:\Users\Admin\AppData\Local\Temp\7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe
"C:\Users\Admin\AppData\Local\Temp\7c95ff37929b4587cc3452d53ad3cdc42540c064f30fb58fabdeaa26380b9fda.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
89KB

MD5
6dbb6be942248ea16f12b8ead72b7fc6

SHA1
668a6cb80032eb09a307fc0e7fd15659b0e484c2

SHA256
0c400bc553837bbe4f2c41b7ea03a005975beb881d54892327648f73dfc9e535

SHA512
7939ef7af3ddadb27cb376682e4f0553169afe68eb364d69c04252b5b6a0d0fed466cb2a84d5fba6389cc17976a17894948911eeb23f6a51616b4a76bd74885e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
188KB

MD5
b048af03932b635e0d28ce0aba7befeb

SHA1
6d2a25d5f4451ba4aac9d5474fcf9763edaa06bc

SHA256
1158da87a42688dfd9e8d515fe84fa4953d8a6cc3864d25b7a025c8c622140ed

SHA512
31b4ec38b03b156dced0edb3b214c38c378ad18541923654d38c70dd75ba61edf840ae2142aeae2ea61740564e610234527e947e3f1274690690e6a15c691f3c

Download Submit