f33bf963027b08c5961cdd455300a5fd91f81c8e45f4513d9cb527f025be56d7

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

223bfc2da55037a567f0beb7d24015d0N.exe
Size

49KB
MD5

223bfc2da55037a567f0beb7d24015d0
SHA1

5926903263cbe735b2d8b246471c7eae7c1a8d1c
SHA256

f33bf963027b08c5961cdd455300a5fd91f81c8e45f4513d9cb527f025be56d7
SHA512

f6bbce5bf5611f6c6e29e11fc063d7c5b5c7511058fc0fb42ca672cbd510765be7b5a5e1d0dbec2c52a2ab89f90a2b922d3fa1d92678b6be4c52b330d02b340a
SSDEEP

384:yBs7Br5xjL8AgA71FbhvBfepj3cfepj3KtLJr4S04SCzwzdAsAbJOkAsAbJO1:/7BlpQpARFbhq1KX101GIesAbJEsAbJs

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4636) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	223bfc2da55037a567f0beb7d24015d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp	223bfc2da55037a567f0beb7d24015d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	223bfc2da55037a567f0beb7d24015d0N.exe

C:\Users\Admin\AppData\Local\Temp\223bfc2da55037a567f0beb7d24015d0N.exe
"C:\Users\Admin\AppData\Local\Temp\223bfc2da55037a567f0beb7d24015d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
49KB

MD5
1f548563da22fc942fd0d8050721e385

SHA1
06bbe1294a891a41320623498b1080421d53e161

SHA256
c182469a26b7826a56699886d6ed6cf3bbca8028133377a5d86294ad4d990b2c

SHA512
b0bb7c87b6d335c5d3110734540bb04d8a45c7e03224c04c8343dd3ea34fd0c78344b426667e4bc8038e052c00df61f5b130557b5ff5bfc4c152b096d7badf3f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
0663998c62ae127617725bc7238ab5da

SHA1
46216849dd8a73da20ddfa0c4422e14019a69a2e

SHA256
9a91475cc58ac1f682f1b83bed54b4d2afa5768de21cd4009a189cc378b9b15a

SHA512
0d3e7ef58dd7e6956c759668cc63761c710e7038a25b7d42ed2b6b722a87a4882a7172c9d00c0b1f0f3e8561ce1fb99f1a6751f9569f038667f69f1fb6947901

Download Submit
memory/4316-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4316-1950-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download