37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
Size

88KB
MD5

ff67cb11dfd36fd61c6cbbdd0a4266bc
SHA1

2fe3fd4a5e2664afde735a9729b6dc558cc25f11
SHA256

37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610
SHA512

9c6a8db0c5da44df8534addc5da9eba6c9af62df2ce7f10a46774cf12951cd3ee6f8a9b55c2271be1a52dd7296785f71a35eb2a0c91b196a756dfe73a9341f65
SSDEEP

1536:W7Z9pApQESOHepOHe8G+6E65dyGdykNdNBK2LUf7XQex2v:69WpQE0zUzXg

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\af.pak.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe

C:\Users\Admin\AppData\Local\Temp\37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe
"C:\Users\Admin\AppData\Local\Temp\37bc06eb2a57d9ebeee5b1c7d98cc08efd4cef4ad160aca15c7b4dcef911c610.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
88KB

MD5
e386ffc6400791c70578961f6f1cca4b

SHA1
2cc691b4661d257b83a68dd0363364fd44dcb787

SHA256
1a855140721c7c7e0ca244be336d92eed32fec56bd573f6d22ba97c175499faa

SHA512
fc65b730513280c1598b74f5162300b13aba057ea53f7ba36593e90ed14d4f8279b1b736324075dc3e75d5414e565e65ce25a2609d8f75de537020b4a88104da

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
187KB

MD5
b9b328b0e3b7b3ef2eedddfaa99d952f

SHA1
895fb72f701b39c0e5bdd241c588a8b933e2b624

SHA256
03ba57db90144df974cefd49750300508216c05d15aad72dcbcad60fbeefa4d5

SHA512
4bebb8c7d722fc78ac33882eca64168dda5097e06321705336ed94af23d5e1143e17586065bf3baa0506d39b0f9266ba236e3bcec2c6230a9f00346f4a0b47d5

Download Submit