99ec45f9dc8e0aa478e909d02f21c297a99e950271006eed1ef2d69790e24f8b

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

288285b693ab42881d95d71d04d5d9c0N.exe
Size

46KB
MD5

288285b693ab42881d95d71d04d5d9c0
SHA1

695b07b5aaeda1a20e9bc1598b97a696d4cf851d
SHA256

99ec45f9dc8e0aa478e909d02f21c297a99e950271006eed1ef2d69790e24f8b
SHA512

4c7b741ebcccf9ac0c92c80ac979785e69c0b1a2195258a63cfa41090a187f181d918d3fbf6ff16a8e20856a46034abedc69ae205876a1d8f937a99716d155eb
SSDEEP

384:GBt7Br5xjLvassAgA71FbhvgqHqMjL4jLS/3MMf/3MMy0U0exOewcrxOewcP:W7Blp2sspARFbh5YSfffyn7xJwexJwq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4230) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\es-419.pak.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	288285b693ab42881d95d71d04d5d9c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	288285b693ab42881d95d71d04d5d9c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	288285b693ab42881d95d71d04d5d9c0N.exe

C:\Users\Admin\AppData\Local\Temp\288285b693ab42881d95d71d04d5d9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\288285b693ab42881d95d71d04d5d9c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
46KB

MD5
bc8135548d726fea094a7bb1131afefd

SHA1
f1a0e8f8b11edc198f762cb12b144f7f71265f34

SHA256
638c2a4fbb69676c3ca7a9632efec9b2d18107eab7a64071aa2e1f045c64e58a

SHA512
b382d89c8ab8cd3bd57f68c3a408ac4d8290dcb9f681beaf1155d5a850813ee17d5594e5bcbcc4ad488eff199fc8df1b07aa9651b8ac58158a90d1dc406fe81c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
e3b2022da921f433c45797072bdc6b75

SHA1
135d28a73b73e16cfcab34cc05c277a9fea25d57

SHA256
dacf0ad6e798034ee10fa923cb6d124ca33bfcf8a5a1b4a4a83590f2c4d684c0

SHA512
b7ced5eaaa6d0ea7cf988090562928a130769932f8ff298507ce680f41eb1e08fc5ef0f9649af2e456467fb7101b9afa0a63ed3382bac76cf07b1fe939fa3895

Download Submit