36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
Size

39KB
MD5

57f763c6c4bf06633dfa30581b3f99a4
SHA1

abfdfed9b6f6403e8bb30f32127c44ecf3e3d89c
SHA256

36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77
SHA512

8eef37ada69e4e692899fc287aa35d29b9e2b2a43d435acdb8bc074476babc11f1efefa898741d0fcbf97a330a482e17265a3bb3f6e73eb47b7172f0b0fd96f3
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzfIfHLW/l:/7BlpQpARFbhNIV/l

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\QuizShow.potx.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7en.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe

C:\Users\Admin\AppData\Local\Temp\36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
"C:\Users\Admin\AppData\Local\Temp\36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
39KB

MD5
b70a4c23a3160f9c83ad9b435a0aef05

SHA1
8f93f60b1a3ab7eee695260e96d39f80900a9deb

SHA256
b7eb2d03f21bdc89f6f8174b824bc0e1427f472b87b76658a34647d9ec449f24

SHA512
c5abb1b703901e2d4fdc36bad7fbfccb3b6bca27cc80a3fb997ef0e6527f0cd30dd6af44b7974900be59febc27665edd010ec0f0137b47d079710baf4c542fff

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
467353fc5ca17fe9ca0cf7ca4b60a120

SHA1
ddd47be4e329ebf24ca68360dded9402ca67db03

SHA256
3437e39421eff6fc8aa245ffcdf6877c74b47c3e9c7d336eb02716c22ab65ea3

SHA512
ece507d744a9ba5b810262dab0dec6449055eefa883129475443a2f4cfa09b715f854d555ea34ddc22ad32cfdeb06350d08ea20794dd60861d34865258144781

Download Submit
memory/4844-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4844-1972-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download