2fd879545e0a18af6cbf4e6c7e2d77ef607fa1a7a79361d35ec7d24e5d53fded

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b363a95362a296ed0c65e2fea3212190N.exe
Size

38KB
MD5

b363a95362a296ed0c65e2fea3212190
SHA1

f78e13a5245e989851c26dca1dd774e236f05fd1
SHA256

2fd879545e0a18af6cbf4e6c7e2d77ef607fa1a7a79361d35ec7d24e5d53fded
SHA512

f876885be94b0c0d7fb039a1501d7f92056e143b73761055ea568af1326079507b79589a3d4993132452fbff1b89c47bfc6456d0e82aec696a34d574b12a68e3
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxje6OMmy6OMmI9h:yBs7Br5xjL8AgA71Fbhv/Fzzwz3ZsTZ8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4659) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bn.pak.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.tmp	b363a95362a296ed0c65e2fea3212190N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b363a95362a296ed0c65e2fea3212190N.exe

C:\Users\Admin\AppData\Local\Temp\b363a95362a296ed0c65e2fea3212190N.exe
"C:\Users\Admin\AppData\Local\Temp\b363a95362a296ed0c65e2fea3212190N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
39KB

MD5
5ce2d78704f593f3b0a4d98ed23b0d99

SHA1
90e02e785b26a12d33ddcbdbb33f64aeac20acde

SHA256
2d1fe49b3814fa6d99ad9c22189b4d48f2a53bb9e5fdeb3a7585269da1483dad

SHA512
ab665b3346fff986e5d5349c92cafec1b79a3d62b7d0ea9fa402af94542339cd7c8bab69c3175c5c9b9196fe4698333b313482985cd6ac4ce203506b298d6279

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
312efbc362d8ca018d6b24debe6c9347

SHA1
e4c223aea62330c007510323747791c66478fca5

SHA256
2c11d25479e218f3d811e3cf05e23cb9c96413aaef9126f12ef77aa50df8432d

SHA512
ecb763103b39546932f07dd9ebafd63ebe6a667c0d63b66725ce6d4eb1bc9d2d80741413c37bd2170866dd265b6c1b9bb46cd76b3a0e0c563dd90af54db75718

Download Submit
memory/3576-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3576-930-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download