34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
Size

78KB
MD5

b212438d28c94a09037ef7302eba7311
SHA1

29d72c2001857d946c6bdb650ca9ee8d2c944f7b
SHA256

34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839
SHA512

3b43ddcb420c05ddd8ffe7a1b080ae088296e5a2d9bb056cce97cd5848cbbd91677d1f7c81da3333caa8000591369a071b57ccced6643a2304dfdac1a2ea8d8b
SSDEEP

384:yBs7Br5xjL8AgA71FbhvJUfWGUfHjtmjtd5NaMR5NaBQp4g7s4g7M:/7BlpQpARFbhiWb8naOnaBK4g7s4g7M

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5050) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe

C:\Users\Admin\AppData\Local\Temp\34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe
"C:\Users\Admin\AppData\Local\Temp\34aba8456ddef106e58f2ed8cb16dfb2b1360d9570d6782aae36adc28514d839.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
79KB

MD5
b82d11ac0362347655e1c7834253d995

SHA1
609e16365580ac37c58b4cee1991f7676e51e2e2

SHA256
75fe05658b86a042f60b86ccd893b85ca4651c83d634c09db78a5603f7db0338

SHA512
78be381a227586911af1d6d5dfb7d6cfb52ffe52b3f49f7540e0dcdf3c680cfea2c1e8706c9ca17b767eca968529bfb8ca2c40286e37e4a44677cf9090e7c9b2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
178KB

MD5
4ab6032edad108e1ed549ecc41f32187

SHA1
aa75235837f69b449785d77a10e4c9b2f40f8a96

SHA256
c28008de20cdace2a22b722f6c091f96294c6e8147040d069d24a98d1bf06c1d

SHA512
6a4033f3c243a66056c53d079cd9533478417247882639f0f2d3a3d58aa4062e9ad2bd88e618f3e8ca516a3f1363e841f3c5ec8aef78f36b01e357cbede23204

Download Submit
memory/936-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/936-1866-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download