Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 01:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b32e3bb50939d30c6da3a3cf42370490N.exe
Resource
win7-20240708-en
windows7-x64
3 signatures
120 seconds
Behavioral task
behavioral2
Sample
b32e3bb50939d30c6da3a3cf42370490N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
120 seconds
General
-
Target
b32e3bb50939d30c6da3a3cf42370490N.exe
-
Size
69KB
-
MD5
b32e3bb50939d30c6da3a3cf42370490
-
SHA1
083b57ce7c1b60b928e9c7a8accc47d0c7d86506
-
SHA256
db8046913a7a8a63fcb2766d5a0721c4541a9ed38a5607661a947bc6ef2df4c4
-
SHA512
93f423187baa43255546866c22236a51dfc9124e33c31e40f08f6d62f6304eb86d0d6dbd4c457712622bea80546fadffd0166ebc1f87b14f123b81ae7dd69565
-
SSDEEP
1536:W7ZNLpApCZrt8PWGoPWGANdN+hEwHwDvZvu:6NLWpCZIzjwHwA
Score
9/10
Malware Config
Signatures
-
Renames multiple (4356) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\7-Zip\Lang\ta.txt.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\7-Zip\Lang\sk.txt.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Internet Explorer\iexplore.exe.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp b32e3bb50939d30c6da3a3cf42370490N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp b32e3bb50939d30c6da3a3cf42370490N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b32e3bb50939d30c6da3a3cf42370490N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32e3bb50939d30c6da3a3cf42370490N.exe"C:\Users\Admin\AppData\Local\Temp\b32e3bb50939d30c6da3a3cf42370490N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:81⤵PID:3672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5b1a60e663c0d6b41256997cd70a79c0a
SHA1c02bfc540615ab2d6a374c6dee5f63c89aa82b12
SHA25652bcb472e8afaf10711f97d352b971766bdd481aa01d5a3a9313d4198514f37a
SHA512ffcefee0a62d837a1781cebe6eae8a144038e80a7c0be876e6a043f7066e5d540b15ff028cb737afaefc6e383ba11af57172466d2516ac9b0fabb7edf8df4448
-
Filesize
181KB
MD5ef13b01ab01e8209fe6c1f13f26a0259
SHA168b512f87f8f1a61ebafb75b4f08456c28e2998a
SHA2564b3862d0c8859f90615a5098380bf2eea5f8812f6d33fdd7be07ede30e68e4aa
SHA512a5c155fef435fbc1ce618e7955cf7f4b707a9c9c310b10988866b31f8501e24301fe4d6e5c7764d789bcae57336db616fac561b64c8c42a92bc16695aa2c9eb9