0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
Size

40KB
MD5

ac6ac8773bdd9989af87ee6299deba8a
SHA1

cdb175ae740c7c0bd9d52d0839bc4346a5405e13
SHA256

0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd
SHA512

9659088494fc815265b91632bd3c0fe16c9b7c77973928b5323b559affa0f9573369375a82a6ceba3cdfe4e2348a5b4209bd1c20ba447c56e708196b19ffa186
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LObC8p8USd:W7ZhA7pApM21LOA1LOJSd

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-PT.pak.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\af.pak.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJH.TTC.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lt.pak.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe

C:\Users\Admin\AppData\Local\Temp\0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
"C:\Users\Admin\AppData\Local\Temp\0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
40KB

MD5
19e21f4767c215201e4c77e0d482afc0

SHA1
8f071c7668916aa3a0c7245d887c6c20e6e05b43

SHA256
6781a0ce074738cdef44f95094dd5a8ccd2cf9979a2a2ce138b916cdc0d9abb4

SHA512
c39f4d6c9a048ed77f05f61aaf4580b4eedf0ae3e6a32dc4ecbec012d8be7ec0808448e7c8405f792815a4fc1632b9d90cd8b6f5b4e29f2c9292620742659ac5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
7733a737af3df61b4fa53caa07535ece

SHA1
0292bddc6d42e85305b4aa011479266c6a343b4a

SHA256
d192580128aa54bc24e15dc135ddf942a18e0b1a678d50bfc0180c19f0c1d32d

SHA512
18e17a81ddbdac9948d713201d9483fb8476f9a2c2dec024242ae11844b6e6e66247f6d98944fad1acf8977899c08410a02c57ba3ed901339e8a603b69ae344e

Download Submit