9ce86f8853538d83b46dad890b61eb70f235dc71f686c4e78edc3d0d13069b0d

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

327f5d5d58f213cffa88fbd1ef6d9450N.exe
Size

35KB
MD5

327f5d5d58f213cffa88fbd1ef6d9450
SHA1

95626e041826a4261181cdd1780729a736d11b96
SHA256

9ce86f8853538d83b46dad890b61eb70f235dc71f686c4e78edc3d0d13069b0d
SHA512

e1b7199123982509a92ec313aebf85f9bd933cb5b1c9cde3d8bfc1e1217b866d960f0b26c029bea987ba4d542bf8f3d19f2f19a8a5e9015daa553919575ed743
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpurA5SJfrA5SJ+:W7ZppApBULcfpHLcfpT

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationTypes.resources.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp	327f5d5d58f213cffa88fbd1ef6d9450N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	327f5d5d58f213cffa88fbd1ef6d9450N.exe

C:\Users\Admin\AppData\Local\Temp\327f5d5d58f213cffa88fbd1ef6d9450N.exe
"C:\Users\Admin\AppData\Local\Temp\327f5d5d58f213cffa88fbd1ef6d9450N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2636447293-1148739154-93880854-1000\desktop.ini.tmp

Filesize
35KB

MD5
51585e4f53faed9cad276ee4a45b0904

SHA1
6ea4e6053ba3b3f9fb9d74f8cd793b0baf3de0dd

SHA256
09d08d5f6e5c02649e896b421e03a60fcd1158e929a6d5f024467fddb3a67702

SHA512
b045e822330b6e0eb6edb0c6bc0d55657f9677dfa4d295ee8d400493d06864c9f803fc040888f2c334690f904de4656b30f0637eac84bc8482735b8d07f39ffb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
134KB

MD5
d6a306944a7ac337de4156277395c8eb

SHA1
d07b4ba8a06db91801c3e3e58c38d1b4cae33c9e

SHA256
fb7f425ac544b2ea8ce5fa56896c34a430432c376e8dd4fc90e22d2d141918c0

SHA512
82816a15f485101f6f11f338d0cba1a59400569a98f446a47777d246b784a6907fc8f2f4f0a64e51dfeb47a82ec16b1206356c4024d1cc368390c6969418df8f

Download Submit