4fb8075a0156672b49562fdc02571accd05eed1be5dbe427871a1ab1f9f98b32

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 20:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b38e156165d5dfb188375a6e28f79ed0N.exe
Size

92KB
MD5

b38e156165d5dfb188375a6e28f79ed0
SHA1

33d0490bc7753783ce201057227a266b82fc3ae8
SHA256

4fb8075a0156672b49562fdc02571accd05eed1be5dbe427871a1ab1f9f98b32
SHA512

4b16f2af0551cf3fefc32e486b9c9029feac29138fd9779b53e9ed8e211c60910fe3b67138c877f9b596b3586cade0c254d6370d62d978a65350b217c96c378b
SSDEEP

1536:W7Z2sspApGg7bobSM+t58qKcAK+j4nI4VfNgZ11PED4gJQeAAUZa0EzOMN:62ssWpGgrM+t58qKcAK+j4n7ByeFUG

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4320) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\af.pak.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hu.pak.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	b38e156165d5dfb188375a6e28f79ed0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b38e156165d5dfb188375a6e28f79ed0N.exe

C:\Users\Admin\AppData\Local\Temp\b38e156165d5dfb188375a6e28f79ed0N.exe
"C:\Users\Admin\AppData\Local\Temp\b38e156165d5dfb188375a6e28f79ed0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
93KB

MD5
d87830ed4255fc68464491aa6cbf8664

SHA1
555f669ea35db32d43e78e2be8f7a4648b582728

SHA256
4d789e08309e23bb66d3993fec60be8d106a37b14afb8eddda476bb6a5a42a92

SHA512
0674509194f47e61d2dff8fe3526ea2823a37d960a098ac441b81f5bc12221d6c529ed8f03408f77f9a4f809f92d45ff97dd318e72069a9165f53905f65f1887

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
191KB

MD5
cd661968db6b52cee5e84d9cc86744cf

SHA1
7b570f2dab286fa914d4307c6e4247bb5a9ae90d

SHA256
e4d5c2423bbe8c77ec2c26d3f2769de4323022e9b9552e26407dfcf55206927c

SHA512
60ecabce3e4d8f57e452c2f3c2bc3527fcfe0c31b1e47bec212e9c812d1001f8c4fd58f8cb37086a9c24ef04a266151c6b3481b7a6c5a863f29533f325162595

Download Submit