e30373da8e4bfff25a14316692d0c67c0e37e974eb8e05dcc73a5aa020354d96

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92756167b95b894dbe6a689d4a1f5c50N.exe
Size

47KB
MD5

92756167b95b894dbe6a689d4a1f5c50
SHA1

c8f3e3d262e1e18dd642e29a65dfa317799e5956
SHA256

e30373da8e4bfff25a14316692d0c67c0e37e974eb8e05dcc73a5aa020354d96
SHA512

e1da9367af35829b1d587e58d3df3709b37653938d307c47a5fdd5be41b1ca3852d0ca929274146160e1256262e43678ae798b14d3e962b1edee23c2fd3d7c15
SSDEEP

768:W7BlphA7pARFbhL801VvM801Vvv7cYl7+obSfxDsT7+obSfxDso:W7ZhA7pApw03vR03v4YV+obSfxDsH+oS

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4673) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nl.pak.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	92756167b95b894dbe6a689d4a1f5c50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92756167b95b894dbe6a689d4a1f5c50N.exe

C:\Users\Admin\AppData\Local\Temp\92756167b95b894dbe6a689d4a1f5c50N.exe
"C:\Users\Admin\AppData\Local\Temp\92756167b95b894dbe6a689d4a1f5c50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
48KB

MD5
304bd605e06f01308e2ac0a4b5cddb72

SHA1
3629d9c566c90a0662f7a31c7e877416f2a110fa

SHA256
bdb3d40b7171c2a0a2c1598cca7c99caeed9658628d026d0e65f0f0ad3c8336a

SHA512
81a5ab090ea46eda3e58cd88b8abb849252f2f10efa33538c39f2ed3cf0585a83298ea6281fabd7ad6e84442ccf88d14caf78912b8ddd3c06b86b9ae35f1430d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
268dd2298dd35a9943d4ac21e0164bdd

SHA1
20d6ad345961160eac95edc5925a0f39288bcb81

SHA256
a5d0a18d344cb8d1b0207d96760139ab5ec173496202ed376d060509e8e14eb4

SHA512
bd3f4a5ea19ca07be991fa883125e0a66b6e4eff2b4f2fa1b9398355e3079433570e13711b814b39b5433b98b603262b8ccc08217b8269816d6ee29b9f19c4be

Download Submit