4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b

Analysis

max time kernel
150s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
Size

58KB
MD5

6d5f347b5e0b76827a8a8778be9f1074
SHA1

ba0a7c1aeeb57ef1244b5b165969f02a69bed937
SHA256

4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b
SHA512

d5195370519a5805f11bc5c7338711a5a8aec390c05ded8199ba5d5f8274825c799bdadc269961b3663adc476377af97850b96b4f2bbdca704e8755de2e1265a
SSDEEP

768:/7BlpQpARFbhn54fmiy+3BVr54fmiy+3BV6nE101IK8WKnFIMK8WKnFIo:/7ZQpApmi6nuKNKnF3KNKnFp

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-REGULAR.TTF.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Primitives.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Java\jdk-1.8\jmc.txt.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe

C:\Users\Admin\AppData\Local\Temp\4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe
"C:\Users\Admin\AppData\Local\Temp\4934363132e4f1abac8ca82f4fe8b4efeb9161ab5a7c3d66372c7e123ae3a68b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
58KB

MD5
6d75c84ca79b3b6ea4dec8538c548a4e

SHA1
264a095bd60f07a00aacae97007746b549d669be

SHA256
6338cd7cd2949bfc22aba13a66f060f0eb2282eaa0bcb4d4b03fd4547473afa7

SHA512
81efddaa6d29efef81f166a0509a6ec0e1c0851befb4e536d9638cf6ef488a40dbf39cbf9c31489a1427b193e77f649c4023cbba9f98a15855765e605d2292ae

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
157KB

MD5
0ce5482bb7e951b8edbe9d774bb092ec

SHA1
ef9a1b43c636429dcdfb90b29841629ab60dec0e

SHA256
748af8d6d913f8cca4166177e757046b1fad931158ea95c7fef1d7026eec2d2f

SHA512
043ae3d9cf4d60ece8b7d99488551214e01834caf919bdd20f455c403099b1ed9413fb74e169d6f910da36e9f64cacbe45a9845bc85e2271b86ef027d689da74

Download Submit
memory/3300-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3300-892-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download