d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915

Analysis

max time kernel
150s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
Size

80KB
MD5

65f1822d76b1df7ab2db4b75ec9893f0
SHA1

80caf95f51ff248710f6a5bdc4ec81f13c1dd363
SHA256

d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915
SHA512

a23d8f811df4c9b30e4b785f6cbeb92860f5669a728a868bd96b562dc6f3c25045ddf1704b5baf5ebbefb1b1b06bba0644b1e9a281bce128c54b5328aebca29b
SSDEEP

768:W7BlpDpARFbhYQkQjjIXYvPXzWPXzK3733uF4V7en5c5HChCrmh1444REXBwzEX1:W7ZDpApYbWjIoPyPoLzV7c6Sh1XSW

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (4869) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_elf.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Primitives.resources.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe

C:\Users\Admin\AppData\Local\Temp\d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe
"C:\Users\Admin\AppData\Local\Temp\d693a5af2daa7dc56f7082ea4d18efc91a63c8d40acfff03813ce5364b6de915.exe"
1⤵
- Drops file in Program Files directory
PID:4152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp
Filesize
80KB

MD5
4df3fd69677c76e6a9e0348169873bf7

SHA1
f883ce898137e7bc6c641c44f77a5f8a6fb38c16

SHA256
91dfc25e05d5d2c3e0226514721cef046b251bbcc194e6cb971c9a940a7b52f5

SHA512
996f95f8dda694b71e502b0380851135ee8992b4ea6849526fb45380b5e9e9b70f58dd18bb8c94b48761cde2b18c54f31defeb30d96b0dca5dda8cb13dca2a2f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
179KB

MD5
38c5a2241a81919b7aba91dc626ce906

SHA1
38c8307e8deb201c6e51ad78d350bded1289f16a

SHA256
cff97ce3bf5356e1df971946fc9f01b43a9c0b7ec1695529f04a09230e0bd77f

SHA512
8e7cf5b74a4a753834ea637562c8d97a9059ff85506f79d9c201a84893da8475b1a7bc98c9e497aa370aa5c2ffbb163102cb7c844af51a0a0cc7a48e26bfc880

Download Submit