17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
Size

35KB
MD5

59705fe2eb2a91c3286f71e3d46b1702
SHA1

3a99f4c85a53954f892eb9788265120bf7b342d2
SHA256

17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68
SHA512

e0c44e38028dbadedd1f18b340a52d72e9ff6bc5c69332cb0bb205996f6e843569b8b605626797278e435c2dd3d887cc33e06b03297169ab636635b7ada52248
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/F1UJo9VO3iJfo9VO3iJA:/7BlpQpARFbhzUJo9VO3iJfo9VO3iJA

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5235) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationTypes.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\AssertEnable.jpg.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe

C:\Users\Admin\AppData\Local\Temp\17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe
"C:\Users\Admin\AppData\Local\Temp\17db74c26d2669997cd56b276aab8ac9d8726d66b7307ca8468ca125cf705e68.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
36KB

MD5
7dda36c9005f93655d939b3496f7cc60

SHA1
17d47f28275f84704d480f188dfb453edce4183a

SHA256
c8309cd21af57f63a72b1c6f6da850309f4ca2163ac47172df754d9e753550ef

SHA512
1d4d052cf887907d1b7e937b0dca8e8f9de879754ec08df6868242283b7dc88c75431ae37f9df99b2495f85a5864203f4f8a3ac320d640898c441f278a4d4d0b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
134KB

MD5
76405fda96df84303d4cdd66f7aa5b66

SHA1
090d58f951f3ac0008d03ab9fd667a8133489014

SHA256
c7a4f90a0bbdfd88a5c333ad1788b8857f29ed5786b84745fa9d823daa1a1af1

SHA512
3706b67d3e35fd9a469d67048150fcc841f456c52785be5309f6a7229d37e933a37b636cc053b39d885c9c3be4939c1ebb5ffcfcb995967ad4a3305456a3c414

Download Submit
memory/2812-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2812-1964-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download