052c63c7ac7abfb8a46573ee399edb3d98f5ab92f9733377dbd45a79fb7c3c02

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41c035ddaf46297a63e7efe01df17570N.exe
Size

91KB
MD5

41c035ddaf46297a63e7efe01df17570
SHA1

edfff9ddfb9e1a955b0cf269a1cce4ae07c34d00
SHA256

052c63c7ac7abfb8a46573ee399edb3d98f5ab92f9733377dbd45a79fb7c3c02
SHA512

c0d52c228ddc4c92715bc3dcc9e4c7b3936e0c8d119579ca17d1437c404e37d4700bc3e15989dae027ba70aeb5d579bba15c1ec1a927272521b1f1d30cca41e5
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhg:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsx

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\sRGB.pf.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	41c035ddaf46297a63e7efe01df17570N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	41c035ddaf46297a63e7efe01df17570N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41c035ddaf46297a63e7efe01df17570N.exe

C:\Users\Admin\AppData\Local\Temp\41c035ddaf46297a63e7efe01df17570N.exe
"C:\Users\Admin\AppData\Local\Temp\41c035ddaf46297a63e7efe01df17570N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-195445723-368091294-1661186673-1000\desktop.ini.tmp

Filesize
91KB

MD5
de357fe16b2f0389a833680c0d778b7e

SHA1
25524db1c679a659436d46e7c1e29dfa4e9427ca

SHA256
ab77bee773f501c3540683e632f918ac43b60cb166bdc6c5201987679739611b

SHA512
f626fe85cf1eba81a72bcf1c971b365f4c4aacb8bbaf36835d9215849dc634d7c2ecaf93f1819a95610c1e270dd36ccc809f10d165812a7304ac250537e1e322

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
190KB

MD5
81f9cb85dda8b0a4b3c69fa5214af59c

SHA1
3cee610b19df4d1f29c83c847b86003cc8cf505f

SHA256
e8bc1671e6c4b9ca7cf2bb047e9505c4bf9879c40bfc5386a069c3b4f9bbd435

SHA512
3491b2776a62d88341750f488bc89bcd376b2b529f557f6711c7e4442d919edd627aa87c2b87e4d0253a3af92649364eb81ab669780341b87ae94df18a85f82a

Download Submit