31fc65ee94a7fa541e5cd9c47fc56a0afad85a536504d4a23fb4fde0edf8a4c5

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248e96690bf91df853f90ff252a58650N.exe
Size

43KB
MD5

248e96690bf91df853f90ff252a58650
SHA1

32d487dbc1fbf4ad89f575f393dc84042aec0272
SHA256

31fc65ee94a7fa541e5cd9c47fc56a0afad85a536504d4a23fb4fde0edf8a4c5
SHA512

fdbd9338571ceabeee88b05c5a3241b0c7bcbe75e53fd74a21219691c29f0e06f8fc995d1d4e24e3e646fc29111c43a4e6613c6f17c5d3bf01e6fc03e74bb7ed
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LObC8p8ON0:W7ZhA7pApM21LOA1LOPN0

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	248e96690bf91df853f90ff252a58650N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	248e96690bf91df853f90ff252a58650N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	248e96690bf91df853f90ff252a58650N.exe

C:\Users\Admin\AppData\Local\Temp\248e96690bf91df853f90ff252a58650N.exe
"C:\Users\Admin\AppData\Local\Temp\248e96690bf91df853f90ff252a58650N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3804,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4220 /prefetch:8
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
43KB

MD5
23b30b713326829af23dede86b2baaac

SHA1
d1ab4d797af20c3f7e4a3365acef18c648aa37f0

SHA256
71b2396b8654efcb21c85ee4479feaaca34ec77540c121e79b73c6d33a6e4a83

SHA512
2b429e9d36f6811a06319322765a2e89385d40d33555fdfb0b2b66bd3437095108817d4a966e8025b115dd305a29e6a02cd0fef302b90a6918a78e92ae60d3d5

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
156KB

MD5
625be536f9c009403a6957c435da92ed

SHA1
b42a5a8bc2031e47a25ecb3a30ff504b0094baea

SHA256
c821b2401da41a3db4846aea6cc13d4a5b9c374f2a317de6dd376477463c3f15

SHA512
83d0623fbe32a2b9ae6c5b4123e42eb7ea9f7aaa5ffad22275ae82f8f2a46be578f3afca0379aeaddc8e332cafca328d8361cda3c25c05f9877a838e02aa23b8

Download Submit