21872f2c746eb610e6d80cc917ced579a8cb71ff3a30c677d019f109334776c2

Analysis

max time kernel
120s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47f3455950ab297104ddbd7ef0f83ec0N.exe
Size

42KB
MD5

47f3455950ab297104ddbd7ef0f83ec0
SHA1

8266aef0cf077999de88a683db31dbd5ba60d0f2
SHA256

21872f2c746eb610e6d80cc917ced579a8cb71ff3a30c677d019f109334776c2
SHA512

d0153fb301ee65c5e31e65fb3584de4c2e68cce59108fd5d742d49a2cde137155bb2154690959d2e25cf6231d3561607213393a3fca05faa1ed952c4687989b4
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLL:W7ZppApBULcfpHLcfpyDI

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (332) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\soniccolorconverter.ax.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\ApproveSend.docx.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\EnterOpen.vbs.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcfr.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\CompleteMove.wma.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp	47f3455950ab297104ddbd7ef0f83ec0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47f3455950ab297104ddbd7ef0f83ec0N.exe

C:\Users\Admin\AppData\Local\Temp\47f3455950ab297104ddbd7ef0f83ec0N.exe
"C:\Users\Admin\AppData\Local\Temp\47f3455950ab297104ddbd7ef0f83ec0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
42KB

MD5
8b8e67f4fc21860175a3ed1ca43abd86

SHA1
ed8c929ad36774c90e88843055e958b9fa16b434

SHA256
102ad32a4b6c0ad9888601425e5aa063aa62f30094b9107236f34e40ba858ae0

SHA512
e0b43cff4aac866e542673c16ff4bad17ddbb22256575766ec7c91fd2e108cf9c74a9cce841ff70e757b31c56aca625dc00436e217cfb4fdca834bdf6fbab5fb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
51KB

MD5
f1a15a4d26c3ab28dbcb2c22ba5ce29c

SHA1
39619f56ccf64ffd1f8a45d42f9252886772ac95

SHA256
1ddf2df8e4d758a134c2c6b55d08bfa2b0f9b980b345352fbbbb4c535629e826

SHA512
ade9e13821ceaff42ad242656acbd8c2ba773c47c783feee6251732e3bc000e51caabca1ebac0583c066cd7e90ce8af583014ab14ce2a69bcf05348813c1db40

Download Submit