215d3469107969e265af632fe7a8f9e66fcce94fe005d21f4385b590ace225d6

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

967bc82428f80010af0b3bdd4b076b60N.exe
Size

39KB
MD5

967bc82428f80010af0b3bdd4b076b60
SHA1

c7ddbc28dd5594ca54ac2377865175fec90f443b
SHA256

215d3469107969e265af632fe7a8f9e66fcce94fe005d21f4385b590ace225d6
SHA512

88dc48fd5763e9dd12299fc2046d9cbf1d2c314e3a36d47959662d4d0cae81b08314ca2c468ce64758e463730c1c651bced9d3f9a689a7e4be15ed364c6b17d2
SSDEEP

768:/7BlpQpARFbhS1012oN+OiJGfOiJfoN+OiJGfOiJM:/7ZQpApjbKbc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\kn.pak.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mce.dll.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	967bc82428f80010af0b3bdd4b076b60N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp	967bc82428f80010af0b3bdd4b076b60N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	967bc82428f80010af0b3bdd4b076b60N.exe

C:\Users\Admin\AppData\Local\Temp\967bc82428f80010af0b3bdd4b076b60N.exe
"C:\Users\Admin\AppData\Local\Temp\967bc82428f80010af0b3bdd4b076b60N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:8
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
40KB

MD5
1a19bb020d5d85d59c8c51ef4c8b8bb4

SHA1
40feff2af18287f340029ff62c711a6b286c0f99

SHA256
63b25b02b58325d3daef7e4e43843bffa779ac7e54cf504234258092b1fde25c

SHA512
7473c7a55e412bb297c13e0c651bff8a34d79767a9c9ba2a0fa97c8fc27d4c3dce13f039966fef7a1901d87df1c55036154a0a65cabed86bc4155219359ec030

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
152KB

MD5
a67d98b416d0735a4e01abb1807c3712

SHA1
1c6c794ea16d2c2af70ffb848d0e09702da9158d

SHA256
36be900446ac01248bc14bae1bedfece5820887d5a8e81b0012a7015a9fbf591

SHA512
68b18144c1a09c02d8c02b1fb17d75517fac2d7b276eeaa11ccd1c515d86811288c62119b3c4f2aa72db22ea9b20e53c5a2c5f1ba58dad3664145472b4ae30ac

Download Submit
memory/5004-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5004-876-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download