383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
Size

41KB
MD5

cbea03c046455c2e8aaed513b2617d48
SHA1

d615344e0f294c282a852b16d642cd855d4e41ef
SHA256

383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2
SHA512

81f3dc53b8c223cb79a2e7e0f7697549fb088be84818fcc8a45a393c855a655d49a6fcefa143ec3ae9cbaf447e6f43dbd0749245f3c3a65103625e9b082b7a2b
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNF8:W7ZppApBULcfpHLcfpyD8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNB.TTF.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bn.pak.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClientSideProviders.resources.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe

C:\Users\Admin\AppData\Local\Temp\383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe
"C:\Users\Admin\AppData\Local\Temp\383cfa2fb9fb771b96b2d047729e8652d941aef6caa3e953b1272b63e044c7b2.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
41KB

MD5
c0f469b3e8bf9b63668fb7429ba57e4a

SHA1
a8d9d0cc1d6de09372549d34f2081aa7f02fa6b3

SHA256
8aba290093c2d5738502389b5edaf21c696ee731667f72e2e14bf0e7795ba711

SHA512
18639d9a974e6fd004e7a25f928456c324ad574fec4d418fb23bb7d596d9e8a98b042c94556d569d1a6ad97672aa7df00b3d3b2c67b2aea7ba6953a4e518a4f6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
380355965cdd4199ed856ddf2c6c6f15

SHA1
4dc53f77e9e248f6fcd9d3cd02c7307da0eeafd1

SHA256
9a6460a4a7c6c965a3f48b612a4e259dc27a6b0050143b494b9a5c2f66dfa03f

SHA512
f95eccc021b95b4ed35534e65881a1f521eefa482047ad16178b6f212bac288a8b087f6115025f904f383904f720375b913585d70b570b5870589a89d1428514

Download Submit