e0ece19c2d33f8cb0de09439ccefc3aea6ce1aa4465f27b638ccc16dc8e907e0

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 09:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
Size

43KB
MD5

73e9c5f9bf2ceb320d3a21a6c7e2db50
SHA1

492d0dca9db303f6ab27d0db60b0f40b3c88f925
SHA256

e0ece19c2d33f8cb0de09439ccefc3aea6ce1aa4465f27b638ccc16dc8e907e0
SHA512

f38c1fcc81bf9f1f0d0a2557cf616b1378e046663e1f06610fd9e801629487d92c396104af21b845819681ae6d4d7b9ba6851cc5cadffc856ba9a6f858231e16
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3Gb9CGDb9CGBjUDXV8gcjUDXV8gu:W7Blp9pARFbhOCQCPjw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe

C:\Users\Admin\AppData\Local\Temp\73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe
"C:\Users\Admin\AppData\Local\Temp\73e9c5f9bf2ceb320d3a21a6c7e2db50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
44KB

MD5
08c1ac593c8dc047f439a5d946cb59fb

SHA1
01d2531e668e3b300eacfc230bef351b6524665c

SHA256
3e750439fd948978c785028f943c16ad6ab7eeaf4b958c6f365598fafde022e2

SHA512
d18e188d81b742e1248b1890e01eee53be674008c19b1732a8cd0d339930251f884c403e420d3be34f9217f7de8a1d0c9036825605963138a5fc2c3b4b16b25f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
a404b9c01046a3d11866d60b1abcbc74

SHA1
dd211c6b7c831fa88abcf63402e72e3a2fd2d930

SHA256
f165234aa304833c515d4712eaf533b587c43481687cf627cb67597b73e02623

SHA512
9fa043d9aabc79b1873011279158149063eda33c4b380b3373af80de404e141ce6c2a6abd6a716985b5cd428c389a961490c64754a35c30fec36bc53b56231d8

Download Submit