3e66b71b72fc1d959bbb6a1c2f8a1d41c853f63ac0e8072e06c3a5cae976baaf

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2153fd2c6cb9b73c5de72092e192b9b0N.exe
Size

39KB
MD5

2153fd2c6cb9b73c5de72092e192b9b0
SHA1

d8da113629f5889fc5f25a8216f6e32b1cd52792
SHA256

3e66b71b72fc1d959bbb6a1c2f8a1d41c853f63ac0e8072e06c3a5cae976baaf
SHA512

4a6f7cd9da358a996ebb5343b0f0b1903c1d5f22615687d42f0dec375d660fd24b86ff99e3e609a2bef28ab8b65fa5ad5d76f4f7808a1c51662a2d7f1deaf89a
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LORWAnWAkpUE5c5eJy:W7ZhA7pApM21LOA1LOrtkpt6v

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4677) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.tmp	2153fd2c6cb9b73c5de72092e192b9b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2153fd2c6cb9b73c5de72092e192b9b0N.exe

C:\Users\Admin\AppData\Local\Temp\2153fd2c6cb9b73c5de72092e192b9b0N.exe
"C:\Users\Admin\AppData\Local\Temp\2153fd2c6cb9b73c5de72092e192b9b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
39KB

MD5
176dd2de1c0b75ca998436b62d22000d

SHA1
32becd4965ec3327a6934b1fb8705f7cd1b4685d

SHA256
90d34b90df6b1d86b6dcb69a752c505adbbc5defce805205564e5d4bb830a2e7

SHA512
e3b73e9a95f17b4d7717c4f3486c5562568c80701324064cc256a9457aaad89627e11967e19f50e43e358365a42e85941c97fa9f9bd23752f7296a01ea292213

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
3bfbf1f272846f58fd84b3a4432b74fa

SHA1
95a88dcf16b53e757294933ed672114da16ce58e

SHA256
d0556e1bf6fb680e2df1dd3665199117fd8f9ef8e7d1a1fa11599716039c90c8

SHA512
e66fa8ab8c505821dbe49ff1dde729171b19ed0eb8f365b500fc1e0bc43d2abd6233b9ab3aa999cf66a83a9b1db50ad4466b48870f2f5ce19fac2c38e7e2eac2

Download Submit