347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
Size

46KB
MD5

d1b0fb49573516588757a261b453e68f
SHA1

840899f91e08f9e41f1c080cb1c0495aec93664a
SHA256

347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec
SHA512

374ffaf7f5bad6016315922e054bfce8795ea1fe45a6383fdd8a9b1c2d7cc3d306486d5cc33c2dc8eca26e8ae2150d37e3af2c0409d1b5b6eba5f5397b3526b9
SSDEEP

768:W7BlphA7pARFbhL801VvM801Vvv7GqSY8:W7ZhA7pApw03vR03v1SY8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\kn.pak.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe

C:\Users\Admin\AppData\Local\Temp\347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe
"C:\Users\Admin\AppData\Local\Temp\347527b64cc7105f45b50324a8db4411a33fe1ea75a5fcf1775cd8a09bd6c9ec.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
46KB

MD5
b73decfe40f091179010fc526b39c064

SHA1
5fb9261ff058a77166ca4664f6a7f3c2354af68a

SHA256
1aef137a8021d6c76fda10940b1c4bd1f6d6e508c8761ef318417dc8e180ef8b

SHA512
27878cc6e016a702352772872c2dce4c86cd078961e1a9688c5234f380f2c1fd857d4ca59545da8356d72524fd978baa9d279271e34d541942e274520759dafb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
59915492515397bcf2bdd0ac380c0df6

SHA1
b09bebf70e0b70eb64fdedbdd88da55521ebcf49

SHA256
932221e9a25ec3d0bcd4aaab31a6ad5828e9d617b8cee80a4b6a962ce1263180

SHA512
3965790c5f4badec3be5f5670174ddd52c6dee9aa2674b8f26707cfe9cd77eaf5532472241bcddd39d8415691b8aa68611c2d7b1ed6ea6231ec1290dddb485ab

Download Submit