804cb24f48d5e9fabd05081066b4b6ffbb8adada9616ec5d65eaaab1c1225af4

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31810d543ef49c3af9674e9f855a32d0N.exe
Size

50KB
MD5

31810d543ef49c3af9674e9f855a32d0
SHA1

4df426eee7ef8440a67a9f0e3169ef9e587931cd
SHA256

804cb24f48d5e9fabd05081066b4b6ffbb8adada9616ec5d65eaaab1c1225af4
SHA512

45e554cbda1730fc2046797a91828ea9d1473bfe14335c36741c5726e3e987be4fda318d330a60088807d9640b4b0ec75ef7e45baa671e9457a2c49fe457f83e
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw1VyjVyic7Fc72:W7ZppApyVyjVyHo2

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	31810d543ef49c3af9674e9f855a32d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	31810d543ef49c3af9674e9f855a32d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31810d543ef49c3af9674e9f855a32d0N.exe

C:\Users\Admin\AppData\Local\Temp\31810d543ef49c3af9674e9f855a32d0N.exe
"C:\Users\Admin\AppData\Local\Temp\31810d543ef49c3af9674e9f855a32d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
50KB

MD5
eb8046c0ad4cc20a6ce4158c3e033383

SHA1
ae601f80545c27e375103edec3a90bf883b6bc8d

SHA256
fd509cd777af84c98e305fc289bfefd0c70c247275f852f5626a1491a0888ba0

SHA512
c3f37a9a7f867235966f7667b9052e9d3eade1ad63851efef4c3d206a6390403c66fe578ed2037562e7a62b47f27b20c0b7520f6d6ca014dd54015f1cb1a4cee

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
577d82b7a2c28fcd756123827205f8c1

SHA1
3dab36cbca636c5af7a5c6c0e60f03900114e40a

SHA256
c1ec06fc0e23f072cca768d3baa07166c513dd0effbc43262d9cfe34eca21db4

SHA512
69d54c4db352134f00e067a657ba5a6fddeaa359f41ba9a70d77763f5035926f27a6fe67e468e6708e76acaf421c90a6a7577bd5d50b843d16968c000413df9b

Download Submit