1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0

Analysis

max time kernel
150s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
Size

45KB
MD5

401132920d6890bd7c4459dc1feb2967
SHA1

a4adb09429caa3acc50d8413dc61b9333befa968
SHA256

1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0
SHA512

3da3354701fd5be92539c88bae43ef706b9481af7120b13184f81cf86eb9bbf3d0ceda301959c98694061fded345a2d4a2803921bc3b71a29d3c5dfd656ef96e
SSDEEP

768:/7BlpQpARFbhefnj0Tjfnj0TPuQogKO4iJfogKO4iJEovdcvLei1xaovdcvLei1V:/7ZQpApouADsovdcvL1eovdcvL1v

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5292) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.GRAPH.16.1033.hxn.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.boot.tree.dat.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\TellMeRuntime.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\Word 2010 look.dotx.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-private-l1-1-0.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe

C:\Users\Admin\AppData\Local\Temp\1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe
"C:\Users\Admin\AppData\Local\Temp\1b0769482dfa333fdc32ca57d8d4bce4345bca9e7354a80b792b292b420da8f0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
45KB

MD5
6757f47726bdf659b4045f8584cd249f

SHA1
746542e6959f6890f4a43dd89f46073b7c430e4c

SHA256
938d3e5972116f9538436476b87af783ee3a79cad7e9d38695f29e4969ee4ac4

SHA512
8ebef595c217147f9121a2fe8a2f170b2abf22ea3d5523d6370b4e522fc8a47f7c7e5b4fdb774edba684588de6f8bfbaa95111a45061a06175ba3404691f6d58

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
f418e11829f8760e792a59870f4f935b

SHA1
ee17889a3031163aab1f63bb5d0d7489126ea6f8

SHA256
36b03e2be4ee2201020091cb4392418934a048766e99e592c99dd0fa20fb15fe

SHA512
d90a72fc17303a7e592daf0ccde34c0d8e3aa6638b47c637a94bdde6253bacb95f0fcc04aa0488c2e5988135ac30ee27c95aacc4c5763be098d27735fdabbb63

Download Submit
memory/3364-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3364-1998-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download