03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
Size

44KB
MD5

57ce5372788fce7fd1f24ddf5a5ab72a
SHA1

692cba8da3b25ec4dbe473b6683c59a12135a623
SHA256

03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c
SHA512

0bc2a18d2c086e91f60c11552a74137b0299f056d32090bf1a05a14c213195f989d3a72a3ceac8aedbcc9fc40d0e2afd218039e1897d215fa361160118560cb5
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzYGXnlGXnBwsr:/7BlpQpARFbhNIYYc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5269) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\ClearRegister.WTV.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\HxRuntime.HxS.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe

C:\Users\Admin\AppData\Local\Temp\03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe
"C:\Users\Admin\AppData\Local\Temp\03c45047b879cdc372af76dbf4b2c518a2b678de62c11c811f33d4dfb42f5a8c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
45KB

MD5
afc204b4107041b07df628db90ef7721

SHA1
8ae129235dea8a8bc0bbd1951b7f943993b92826

SHA256
65d0fb4964d38f0a6bf60bcf20342fed6ad3183f8359e27c8c9e52c68ba4df55

SHA512
874952683b88faab3c52904b3885de0950f68604c54fe5903fa8c107fde3e02496c67c3171ef4b943e8819d877c52ad7d126278df19fca60f04ab39289b1a9a5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
50b19c8b26895934f648deaaf4b59362

SHA1
5c241f427664f327efbb92ea240ed03aef20446b

SHA256
fcb81e56e86dbd68845826f5d72cc86b9d40c10aade9b738e3cf9e065692daac

SHA512
278b1b26d6b11140f77cd8139cdf9ac30449d995a1315d0e323664bff578438f84aa9f4f1ca6132fe78857589ae26dabdf9561d20e2a540af35cbf4a4cb0b969

Download Submit
memory/3632-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3632-1984-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download