432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
Size

84KB
MD5

f1d98c8e491f7f78f8897530193299ca
SHA1

963b39495a8267d87dd28319a383da5cb3c3d04f
SHA256

432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87
SHA512

170801728f0e2fcbaa5acb6ccb122081f9c69bade4d22dec412dd890e4244f877fdf0f921faefac421c5946959d44e8ea64125950c8989be218d5bf6f79ae2fc
SSDEEP

1536:W7ZDpApYbWjIoPyPoLzV7c6ShZQ4PN54PN3:6DWp4WV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5021) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe

C:\Users\Admin\AppData\Local\Temp\432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe
"C:\Users\Admin\AppData\Local\Temp\432d2b73813aa16761c6a71217d9463cbd0b749592ef64dee4df2916fff97a87.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
85KB

MD5
2231b0366657c7acdb8b0db96164a289

SHA1
b8935725d7fb5f653a5dec5488eebf5877aae548

SHA256
b7d509deb592d821cc2318ed4e755e1e278c329cecc9ebc2a0e37e3da751794e

SHA512
1e55589ed31346376b301194d21821816357e9882ec7dd2f25088c901113af317117d1b69ffe9fd9fc7417a6aa9096006d02aa2bc82a50a1a36c73ecf74352dd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
183KB

MD5
ea34f7377fb49cfd33ad110abae8f835

SHA1
c400a21df029814b80c2f30fb7c6c016944db4d0

SHA256
bdc7fd1071ec4c073f00ec17075ed23301c5b593f9bbb12017871122f5323204

SHA512
f57e6c370646c9041a112cdbbce2035f6fa25be8d578c5844ea9c3555213d7ad0b19639ed3b36ef4ebe3f09f2e7c829590fc9696aed150ca14e4e2afa20716f0

Download Submit