3b87965ddcb896d891418126ae95251e1494e22a9c988a4bd49da7642a6ab73b

Analysis

max time kernel
120s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1414281f9ee4f929dcd67ad804f85f30N.exe
Size

86KB
MD5

1414281f9ee4f929dcd67ad804f85f30
SHA1

a3a185f33f49a605e2d0b034b83fca39cac3793d
SHA256

3b87965ddcb896d891418126ae95251e1494e22a9c988a4bd49da7642a6ab73b
SHA512

7a66bcf20fcceb99925c5279b00e725be96c54f429141bb351906e07119c91dced2076d87a8da1e7c8fcaf2bed346a2fef4b9c6b148af10aa6b1287c64793d2f
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhF:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4575) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\kn.pak.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp	1414281f9ee4f929dcd67ad804f85f30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1414281f9ee4f929dcd67ad804f85f30N.exe

C:\Users\Admin\AppData\Local\Temp\1414281f9ee4f929dcd67ad804f85f30N.exe
"C:\Users\Admin\AppData\Local\Temp\1414281f9ee4f929dcd67ad804f85f30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
86KB

MD5
3669aeb80ad0a9e50149de97fa25fae8

SHA1
f9c6d28a0fb430a920c8be4050dedaafe64dd264

SHA256
b8fe8cdf643a8f98f88f6db04fdb69d47d9482a33cfdc4a91a870f3ae6170b9a

SHA512
bf2ce735a4dd54ac3aa4918f19235ef7c271b9e0a48b432dbee936deb61cb93ed0aeed8b372c92f49f584398a1580385499cde03ce552c0719f1faf864c3ece6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
185KB

MD5
33e63d31a34c64dfc7f77c13590b5d66

SHA1
05c82ac7b863c988a76bb983b1180d3b91327581

SHA256
1bbc572180bd7f85c2793052ff7ad9349b670906bd5810c09822f85d9ad9188e

SHA512
5c37ece22d97d77268734ebba145bdae9a1761f927e9d7c8ebd65962bebb74e5cb46a02d0f06b05d58882bf4e1b9fd6aedca38c908a0a8fbb81a0abd1cb905d5

Download Submit