283f1a68541afa8e7bd1f246e2533fcff34afd356b4187c1d2dd0c57fcf5e621

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2385bf2a5f47df473bb4a0e309077780N.exe
Size

35KB
MD5

2385bf2a5f47df473bb4a0e309077780
SHA1

5666ef70803b8fe7958b92b31e06901665151aff
SHA256

283f1a68541afa8e7bd1f246e2533fcff34afd356b4187c1d2dd0c57fcf5e621
SHA512

415df1a38c7bfa937e4a88ecb163147be9316f7e8dc4978b33b05375518caedce1383b8104c341c0dc2c16f91a248c5cf5f98dd3a7c21490a692cb028e75d222
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxje6OMmy6OMmWY9:yBs7Br5xjL8AgA71Fbhv/FzzwzZG

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4674) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ipcsecproc.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	2385bf2a5f47df473bb4a0e309077780N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	2385bf2a5f47df473bb4a0e309077780N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2385bf2a5f47df473bb4a0e309077780N.exe

C:\Users\Admin\AppData\Local\Temp\2385bf2a5f47df473bb4a0e309077780N.exe
"C:\Users\Admin\AppData\Local\Temp\2385bf2a5f47df473bb4a0e309077780N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
36KB

MD5
3dac49844d246fef9979561b7db23007

SHA1
1f087cd6d1bc3bd8dbd1ba612b19c26e65bdd700

SHA256
57ddf30c9dcf2b4f7efe56bef236c634c3338ccd1520591048b80a7a91e3e00c

SHA512
811f8a94a43ea64b50dd2a429182194961c20cd66590ea9ac368937a340d529f6aad3fdc49d74bbaf7a9aade217ab335a919d7f23ffbc4fb35904de9b50b06b4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
07e234a977996fd951f8993db3a3f42c

SHA1
dcd1d95718e722c0cc942131dd252773650eba3e

SHA256
dbffc3527b0b2667b7c8348e09a74c3d90a6fe184ef242d50a0dcfec401b7e9e

SHA512
d1c893f0e563cd5866fc8ed18b89e1e5db7413662c8794964c57ae076a28aa3440d2d682df8b30fb4c72e7c653793d38d901dd6d23f1cf64ff8fb5ee535f49a0

Download Submit
memory/3652-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3652-2008-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download