77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
Size

57KB
MD5

aa969289eb6944adecbc69a4c0d010b4
SHA1

1230ea4963413c9e43623c3fb6ceed0953f7f454
SHA256

77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1
SHA512

2f289e58642d941ee51f8d32e1f0a610e8376a4681c9c025bf414d080b49f3f769af29abf43456341880aea8cf0fe62d2f39a15c6350e17b509fbe1daec0a8a1
SSDEEP

768:W7BlpppARFbhknrzzA8JQ2AdJCzA8JQ2AdJcUYU30N7AVn0N7AVaYHGejGejnA2M:W7ZppApkxUYU30NQn0NQaYHGejGeu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5261) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_100_percent.pak.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\ConvertSelect.rtf.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe

C:\Users\Admin\AppData\Local\Temp\77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe
"C:\Users\Admin\AppData\Local\Temp\77627273be28004f9d039900428d32aecc0da6350ca2183a0ecc8224b82838a1.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
58KB

MD5
36069ff44208ce60e762a14efcebe88f

SHA1
7ab40eed8659a2e14868c5c8c40bdb24a325c040

SHA256
251f7300c4f73a6b5273b89fa617e53dc9c59b98f9d838c885600f1cb8a8b410

SHA512
dc55d2c1fd16bdac083c556aa2ee9b381c9140ddd998834792e9380ba93ada7949d2fef7c2b32ecf0194320b6119d4724b8aa04a22e3893ef4fc7ab3d13dfc67

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
3a7817ac7e657c2d555d7c13f9c41afa

SHA1
88a46223a114d6aa20f1b6c79075b7882b61a743

SHA256
b92637ea2ff608f8dc7f0254ae43631b109544301cc8cc00586772a0596942d4

SHA512
261c02e617e1b08b5a1d5f4c67c6fc49a62cddbf1225884c3002a230568e853ec9b96d0eedfcc422049b461e79f5257e3b3744bc643b059d9d5aaeeaa6a2c8ba

Download Submit