8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 00:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
Size

41KB
MD5

06db94285e6d203748da857007cb9028
SHA1

166bcffdc7ca30a9dad382729983ba9716660d70
SHA256

8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb
SHA512

97df3674d187e555a80466cf7995b2de2503fce55e50384f4ff32d2258291e0f5b504a782f8540756ddaeae1d30a5d347d30ebdadd63d8d211cf9746782dfb14
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJH6vBSSvBS4FmZgMOMM:yBs7Br5xjL8AgA71Fbhvx/5MgNZ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5325) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\odffilt.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.tmp	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe

C:\Users\Admin\AppData\Local\Temp\8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe
"C:\Users\Admin\AppData\Local\Temp\8d89b38ce159a8a535944cb717dcd6819d3cea2ffd2f09211a0803e7f38bb6bb.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
41KB

MD5
80fb14a8cd8dda2409a75f20d9401dea

SHA1
ae84fca0457647236c86de960384586b63349cab

SHA256
110658cec3c466b5c2a20401b04a6a270766cf7a9af43f42d5b8710dc5c51c3c

SHA512
ae0c3924d94a87463e046111504ee6b3901ed36577d944c4c08807ee7034ffb6c54e2afd7bad0c11ae75ccb358d8908d063e1af38e66d8d497bf891f50a2ece4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
41f811df83081a5e34e5a712b7371a6a

SHA1
ae0e15b4ef391ab7383b0272077a4623f60712d0

SHA256
d961bd46036bae5968bc62f127e9fa1b5e1ffa7bd71a1a307b710c1a1dc8bbc0

SHA512
248ad788cf7b8735485b35947fab7afa2e9ea5f3ea4f3f11bd5d5f2ac719a50e2b5372e97b518037053db0780bda4711333c35e35ff619aac6a99292c464c273

Download Submit
memory/964-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/964-1982-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download