773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
Size

41KB
MD5

946f76f5da2acdce52e10280c56c456e
SHA1

96d377d033369456cd81ef39c2acf2ebf8b50bd0
SHA256

773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750
SHA512

cb7536a7482c09f26c74336e71da70c4d7173911721171b6be15be5eacea3085d677febbe1690acaf01eb9c8def65f838eefe641dba5f923350ff0247dd1d9da
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpXfxRfxaRHRe:W7ZppApBULcfpHLcfpXfxRfxaRHRe

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5219) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYM.TTF.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONFILTER.DLL.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe

C:\Users\Admin\AppData\Local\Temp\773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe
"C:\Users\Admin\AppData\Local\Temp\773f7c88d93338ddd7611ed305325fc41167c90f0b5333aa25a26df49498d750.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
41KB

MD5
d05bf4a4f67580dca4f561e23310df78

SHA1
24e7150e52028da928af7ab72570554f2a8013e0

SHA256
64a951032525f9b67b3e7bad5ae6b254dd32507623f688ad4fd3ecb11c86fc5c

SHA512
f15cdbe511f6f97aa49abe7541119e3def1be063901dee2da451f0df0efc51e8e1dac35a06b2d501209056c4e449bc6d9bb1d5458bdacfbfc82852a6a8c80a46

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
93fd2451c68d7f3233fba783f45d99c8

SHA1
2ae5785bf3b519f50795f7476bccb2b57c59272a

SHA256
aa9a8e3a605404b41140470b844a4283b47e09b4c63fdb6514244686366086ae

SHA512
352173950c67fdc42b599841e85db0c72aff8be11e2ef999f823287943ac23f98c1b24e9e0d6240fe992e7444787d98e90f6fcb4673ec8b8fdc6c6f8f64d769d

Download Submit