012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
Size

46KB
MD5

a7adf78e3c05cac8d284ac4cdfd4097a
SHA1

ce444c37ede0efcac942be56d38d73cf68ce5cb8
SHA256

012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7
SHA512

602b5822989bbd5f36784be7a26535d08470e4a30ad99665d4b95f6ed096d9c0a23ddb81ce7ec4fe74a017f936c19f9f789e2b993b8c6ffe36f9510da13e86b1
SSDEEP

768:W7Blp2sspARFbh5YSfff9n1oXKCqzEIn1oXKCqzE8:W7Z2sspAp5YSfffF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5201) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.DLL.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe

C:\Users\Admin\AppData\Local\Temp\012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe
"C:\Users\Admin\AppData\Local\Temp\012229a974b6e2bb107689ae5fc8595170ec1e3a2003426c611241e978fe88f7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
47KB

MD5
3addf0f95427d0a933e9ac7c2c4e5e62

SHA1
97513c0931d86245bccb925e10ab999873d9f25a

SHA256
8f6d30f5d090d4b5e6d8ef2207f00e52bd4df9886034fe9ece752d419bed0b51

SHA512
07cd2391b4c92293e50cbe4a916e10cebc2085b39937c84842416118de8e5c3f8e2fd98981053fa98c6f8df2aafb6b29367756b5b67ada754ae93ebca4ecc810

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
3a8ca3b452a497c2e4ecd44bab4460d5

SHA1
8896c1b188cdbdf08aae2bb90a6c56be5f1dba3e

SHA256
74047c44d80e657f8c31be866cded718b0ae533e3b62a36c1293c6d880c709b0

SHA512
370dd9d2459b66b268eb0631c346967813a2520d7e636434a87981c1ef6cb845826ad14b24512e021eb62989739754f302415713f7ad37bf65e55c08cf40fd89

Download Submit