a39604a4591540a682f64bfabc33ad57e2c24dbb112a2cfa3914240b599f5edb

Analysis

max time kernel
120s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3058c4c8afee97efb52385e761beca10N.exe
Size

73KB
MD5

3058c4c8afee97efb52385e761beca10
SHA1

bd9ab8e968c250b45c63f7faa6abb9530fba7bb7
SHA256

a39604a4591540a682f64bfabc33ad57e2c24dbb112a2cfa3914240b599f5edb
SHA512

ed928fd52f17da12b0f5368d52d17deaf1aefba330a05cd8202ff9f037cf51cfe099ab0fb78180d83b85b4ea7bee0aa6f4add64663c5bb0c7b3428a20acf81cb
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+ejy0Wjy0WmDJ:6e7WpMaxeb0CYJ97lEYNR73e+eGGmDJ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationTypes.resources.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\ConvertToProtect.hta.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp	3058c4c8afee97efb52385e761beca10N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	3058c4c8afee97efb52385e761beca10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3058c4c8afee97efb52385e761beca10N.exe

C:\Users\Admin\AppData\Local\Temp\3058c4c8afee97efb52385e761beca10N.exe
"C:\Users\Admin\AppData\Local\Temp\3058c4c8afee97efb52385e761beca10N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2650514177-1034912467-4025611726-1000\desktop.ini.tmp

Filesize
74KB

MD5
8169c639b0469103079d5d20fe343ecc

SHA1
be69f404d624b2e7007d827b7d8d0e892cfff151

SHA256
9f52c39a8e70721fc8a8dcc5ebf55ebecd0840ba0f65ec8a9f25698e2ef6bcc1

SHA512
5336d78f6efa2351e608784cf5a779bbcb8f5f115be16e725285ddf0767dbdf97c63dd9055ec5272fd3ca1c294a507a36ab9e4f653529249617950f1e892e74d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
172KB

MD5
57456431fd2b03d7663dbcf29ea9e743

SHA1
8b9d8238c3a7d6dee930cc974b8a51db3e53abaa

SHA256
8f994df0bc44ba73752437068519d46341e06daaf5fbde6eed6c810923f3be2b

SHA512
d59e9ea089b343d996e4ee10521d2333e7d9e4ee92f772a8446db062bc4f1c1e5f409bd894649e8491ba4e5556b155cf0d44e4f2b37f7bbf08dd44c2d24b2ab2

Download Submit