71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 22:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
Size

77KB
MD5

4339074e11491136ab1939c7ef8339fa
SHA1

1387bd7cbf2db4417d6f32d69478e18afdfd2c06
SHA256

71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd
SHA512

9e14a2474dd3b4bc3c7abbb6b8c10bd9de2e8413742a63f23f07521edba9936190460b6fa788048c094a266d3620bc2e4bee2d77654975122e6892587967d232
SSDEEP

1536:W7ZhA7pApvOsOKM4HBhaGwOQ54xEIjlfM:6e7WpRaSljZM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4880) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFRHD.DLL.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe

C:\Users\Admin\AppData\Local\Temp\71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe
"C:\Users\Admin\AppData\Local\Temp\71f249630f1b263db81d57ed8ed32e1dadf1534de6978953aef1e864d44be1cd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
77KB

MD5
2715ae24b02f4b70b9d5c21af3cb430a

SHA1
129aa1ac1610b4ee7d38babb5d4105bfce8e7f27

SHA256
a0b5b057a24014a0efc6f177df5a62881a82668fb2616c92f5178044b4888f11

SHA512
ff3b6815bf151ed9f40d52d616edf9176fe23120858322d87be1fc0e6de6ac6b4df2a36d3934fce61b711912201c91fcd59683bf85017e4946f14298e15c4c62

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
189KB

MD5
708868af85efcbd4a48b782ce4cab157

SHA1
68d6224dfa1565063fb8b7c1fe610419dc5cc2bc

SHA256
c1e305d1b87c9d163e8de023e2cb73c4e3d06ef752c8d0672db500d0d8f8a9aa

SHA512
25a429cdf11cce3b89f071eec04197e4dcc68e1af191b85db2861693b3d24b167ba2b485443f7b31341ee1c85ff38ad40a870157d732ada2da8bd224785df712

Download Submit