31fd1454c9dcfa04ed0b2b48b99fa17c46af72cdd14f2e2de8629064ae0aac69

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36e0e2abcbc9d58f75be09be8e602910N.exe
Size

108KB
MD5

36e0e2abcbc9d58f75be09be8e602910
SHA1

9bdb16d1182fdbd2e9ba6b1e1aed2ba72a8ef93a
SHA256

31fd1454c9dcfa04ed0b2b48b99fa17c46af72cdd14f2e2de8629064ae0aac69
SHA512

b51c67d6988a15337ff5a5d462276e61ac74f80a31c7155226dab6cbebe678b9b08fd99f355caf228c0d79d3709cd0d7d209833a123b410780d7a4086209507e
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyBR:PqFF2Ie+efsim2QF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4362) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.tmp	36e0e2abcbc9d58f75be09be8e602910N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36e0e2abcbc9d58f75be09be8e602910N.exe

C:\Users\Admin\AppData\Local\Temp\36e0e2abcbc9d58f75be09be8e602910N.exe
"C:\Users\Admin\AppData\Local\Temp\36e0e2abcbc9d58f75be09be8e602910N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
108KB

MD5
e75f4ccb19f063c73bec8a20d8ec17d2

SHA1
3315ec96de1f904e35f89d0da7e30ea504163c04

SHA256
c03b9c4424881a0e2a048e67ffd55892be54fd1cfc19ef36932f814dc5ed492b

SHA512
2c477f632877c748bbf72d65a8e489b4473f28164b23b8fd716dd152001a09137351ebc1f94d826db5bb0c8034afca7192585cb7ba2d1e6ba26a4b019c41967e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
207KB

MD5
3647c6bb97959cb834e10fc0fb5581f2

SHA1
5d81b8d0704ae701038f0f8435f8730a5e646462

SHA256
ab3a4142dc21b3a05b49661d6e15c37c5226de8863a3fc73a8a0e136e83ef345

SHA512
f4071014ca4bcccb7a99ce0597b6608c24808ec3d4bbaf2e33e7d721f2235c8f9f0ada2d87a63fc38530031fee081ae99ff96778d2bbad50d41d6dca63936cf3

Download Submit