db03aac8d42b9271d7a4f87c1a05487862d7425c562585f5e0b34c555b1f5c5b

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c37b7ebeca6df6b36b205cc39986ae0N.exe
Size

45KB
MD5

2c37b7ebeca6df6b36b205cc39986ae0
SHA1

b9033fbff0d1ec20d7dea3ea396a9914dc88eac6
SHA256

db03aac8d42b9271d7a4f87c1a05487862d7425c562585f5e0b34c555b1f5c5b
SHA512

cb15d96ce7dfe78b6556ffa88c1c8485b9e75c350474f8898f420ad82ab6cb59ef21d630d600496a06766c891554cd5be08552b09280f987595321133a67c0fe
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpRo+fOiJbfo+fOiJbCk8t8QPKrGrA:W7ZppApBULcfpHLcfp/ZeLPEwA

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4314) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\MEIPreload\preloaded_data.pb.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\dxil.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	2c37b7ebeca6df6b36b205cc39986ae0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c37b7ebeca6df6b36b205cc39986ae0N.exe

C:\Users\Admin\AppData\Local\Temp\2c37b7ebeca6df6b36b205cc39986ae0N.exe
"C:\Users\Admin\AppData\Local\Temp\2c37b7ebeca6df6b36b205cc39986ae0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini.tmp

Filesize
45KB

MD5
e043282e9e8f71768de701ad943e9d06

SHA1
ddb69203e2c46931d0b979a1e9841a571b6ce073

SHA256
e787dde5ab753abc32131152e218f15fab0bace485363c9256994a8c2fc81dcd

SHA512
09fbe7a6dc178307c7f48bd32eb4fc74c0e823c9bc49799edbffd369ae557f1e8b3b56c02d6419d6ecafc8a84feb70f90c579599101604740a5578ae6dde3183

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
7169a742e77aee8fb5b8072478bcc0bf

SHA1
d6fffa004492fe22db6266e206bace33a597e355

SHA256
87e247893c0f85784886ef88cc8bee183bcbb09b2586da92373d2ea0fff9d78e

SHA512
dc3cb50e0ffd02852c4e0314232e9b20a8f5a9c23618507b5df608d7bcf26c03a0ca556ff1dafa9de029bde5858589ac537a2c80243d56c435b197011091d7a0

Download Submit