320477122b2d19a7606e71298a1c0aee56dc1923663037c5abd209ac782f14f0

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
Size

95KB
MD5

7c3b17c7d31c2c12bf6aebdfe0ee2790
SHA1

8b2d48ff4391978f11f51ea00130c23b0f2ad932
SHA256

320477122b2d19a7606e71298a1c0aee56dc1923663037c5abd209ac782f14f0
SHA512

0d8ad1914e0208a9f9865d0aaa7fc61b8789e2219b904c53de4e689bfc215aea6c325388f3d754c70680fe612ba8c23af562da465c08ed95482fc1954e9f1a83
SSDEEP

1536:/7ZQpAp/LNgGYJ5OngGYJ5OQXQoQ7KIKtnAQanAQk:9QWpxhBhDR7KIKd

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4531) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe

C:\Users\Admin\AppData\Local\Temp\7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe
"C:\Users\Admin\AppData\Local\Temp\7c3b17c7d31c2c12bf6aebdfe0ee2790N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
95KB

MD5
e135840d07fc8c1d0a0520046f3c7d08

SHA1
c90f765a07c4f428176dccccbd34127c6c5e434c

SHA256
6351fc22af3c76db3d43fbcfe3bf9c4768adff1e9c4bf7f531df298fa35cd843

SHA512
d74f91facc849f023917ad43cf7454726015d841aec11b5fc3341055693a119cb315470b776b0e864ab2f6b6e3be5e3ab6a1f79b9e8b80309e0cb5f45ba526d7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
194KB

MD5
b4739768ac47b2d943962d09e5f15037

SHA1
71067318ee327441ba6cf07c5a09f979834fdd3e

SHA256
cb847aba51183dccccdb8045b663d0c901631484d7b5f6a40376a0b3fdb7fb68

SHA512
d6fb40bb843d578e09f4b765ef16aa77ec59f50be6acdf3bb92473ab049eb5aa7495e2b05c2763a715d621c8e758571477da97f6515027f452cad9b420e76318

Download Submit
memory/4532-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4532-850-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download