3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 20:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
Size

61KB
MD5

78b1a64e0ff2742a6fdd49ad9bb9ce78
SHA1

a4302ae3557642b105c31d0a0fb57d1089bf6516
SHA256

3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d
SHA512

330083006919afe31e074d99c49e63eaaa5e18f5a88506fc434751f4e5fdfcc422e6ffa68ac153b198786d7bf8ff49792291cad5708193d6845ca1ead529ecdf
SSDEEP

768:/7BlpQpARFbhIYJIJDYJIJPfFpsJcFfFpsJcC+3mC+3meDAfABJ6fABJwEXBk:/7ZQpApze+eJfFpsJOfFpsJ5Dc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5025) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\sdxs.xml.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxbgt.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe

C:\Users\Admin\AppData\Local\Temp\3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe
"C:\Users\Admin\AppData\Local\Temp\3604e6032ec23efc049dbbe619c6d19102c475c4f33988db55e291e408588b8d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
62KB

MD5
351204acecb70d503431449a6de3686f

SHA1
eb64717be04d77f324d8d7ae3ef20a18a6f26d9b

SHA256
41adad076c0193c257c1291e58550f21627e020ea0041166728414d02f01138f

SHA512
e6f930b5866d83579f87f1e48cd8ec16323ffc267e5c02641f5981e48465b53f9602c59ed11b81cff9f34c17b9a1632e3d0db5ec9b8d20ceb2520040666364f7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
160KB

MD5
0f30829600319fe603d21a1942d58a6c

SHA1
def7d03a78e04a18b5c17625c7f79795562e30eb

SHA256
af2f40262ea423a6e3b7d3c37749ebc95816bfaaae25ff2f2fadd9754d55b33a

SHA512
1bc76363be79b2fb14ad7d713a8f15c2449e11ebb2d83f00269e0b70c9f16616d1054b941be506b5cce13f0e57c53df1a88da7712b79a4e3bd002ce28ba44600

Download Submit
memory/4960-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4960-1790-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download