dc9b3a910f694d654cfd2106d700355d4654e220a6ac0ee2775b8ba159db4ea6

Analysis

max time kernel
120s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bfb8133f2ddfd709512381b86592bb0N.exe
Size

133KB
MD5

4bfb8133f2ddfd709512381b86592bb0
SHA1

8b4927ffc9a589dbddef8821560fdc80abe3adb6
SHA256

dc9b3a910f694d654cfd2106d700355d4654e220a6ac0ee2775b8ba159db4ea6
SHA512

e006cb876d64350fb633ba4feef10862719d1e2094df4eb0548bc154072055f5100cf64696beced70710aebf829e24766f4b097034c6c8930dc4992350643bc2
SSDEEP

3072:6e7WpHIyRF9ESWu0SWuDmSXrw3Mtr0s8P43NuE:RqlIyFESWu0SWu2s8P43NuE

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\MergeFormat.M2T.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp	4bfb8133f2ddfd709512381b86592bb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4bfb8133f2ddfd709512381b86592bb0N.exe

C:\Users\Admin\AppData\Local\Temp\4bfb8133f2ddfd709512381b86592bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\4bfb8133f2ddfd709512381b86592bb0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
133KB

MD5
deb66a3cc775dac7d89d676d27bce3e4

SHA1
ab7ee312e41424e0d183709a230ba7dd56d12675

SHA256
8dbfe3d666a72cffc3fb7741b18f8a189afd5268cb7455bd6d7e0c36d7786166

SHA512
49bd098ca9e1748f546dc5ce8a2e60e7f63523ce95c5f45bf101b53ac74941eaf6d3e8e12d212920587005a9f46f696872a52aa026b9b4c459e6a55a168beeb6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
232KB

MD5
f0ab8e40534079ea7dcfb4cd6b79771e

SHA1
bc7ebdbbb6e00c984dc723eaae3330aa8136a4b7

SHA256
fe0a1d739ba0d54001e8ec1c28fbdda58ac20b3b8212ffb24cfa97fe5fd8202a

SHA512
02a5cc982a9ef26623ce29f07fd957d6256f171e6457d06d6e869b08d0653edbdd10e6c43c5ed62a0ed7b15e6d127a71ac6ea8ad7fd405a9601750e4b704d332

Download Submit