4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 21:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
Size

50KB
MD5

5cff3143b8267682e383831055c8f624
SHA1

9d6706413dc952dafbc61fdaf11ff2d274702c24
SHA256

4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb
SHA512

1a74baf6ee32f1fe479462f894cfba2c1560aa4d8991efac6b574f78e7fee70b6627932843062ba0a498aa313162d221a53d739fd70accac9915f8fe21609ce0
SSDEEP

768:W7Blp+pARFbhBgnKLMWK9WKD2N2LSarSaAsE:W7Z+pAp2nKLRKIKqoLSarSaAsE

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ul-oob.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXB.TTF.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe

C:\Users\Admin\AppData\Local\Temp\4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe
"C:\Users\Admin\AppData\Local\Temp\4e7055bebe65f2b8123beea7a4cdf74ac7fbe8b71ef4a3d4f69b9522810ff8eb.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

Filesize
50KB

MD5
3fe99a1664210e0c347c3876b08086c3

SHA1
5950016cd37f5b20e1071ff54ffc24cc1a89352d

SHA256
7120fa084be3a2ae24741b19bc870fb7151da2ef7104774210de87e284b887fa

SHA512
957c2e032cdabd4c6b9e74784a005ec9e2171032b77d1298d83a6b39f58e17ab792dbb3aadfec783fba9e11f098b6484c97ada2dadadf2149c3b9b74c7e8ca0a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
e549054dd23d711244221a71c7d9d043

SHA1
fa39fe39296368b46009e5d703c6155e9626ce5e

SHA256
8fd0cbe92626135decd550eb5956328689adb448a8a5a2d69693f1f287e224b1

SHA512
1b7cf9953c6e0534f1bb68d136c401e9b1d726f02c09b520754ffc943ffb9de25ea2985260924e0da713131b8d11402869f4a65ae1ad59d914e4587893f5aa1b

Download Submit