1243e808a3e36417bfed7cefa4e40e285bc3b6bad7452cfed76b4dfdf7e5ef74

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7732e42824233fe325d0e1bb2e13620N.exe
Size

46KB
MD5

f7732e42824233fe325d0e1bb2e13620
SHA1

46fdefd473991a6f066a098e4959cf0ddb934071
SHA256

1243e808a3e36417bfed7cefa4e40e285bc3b6bad7452cfed76b4dfdf7e5ef74
SHA512

a68779dd54157ffa1384fe6d9792d2611621c4d6473b122b86324d6d4917ac608b67c7e0d8b44ae99f5e85c1249c92ef147f56290013c549435ac94f2f3059fd
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw1VyjVyXLeCee:W7ZppApyVyjVyXn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4584) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	f7732e42824233fe325d0e1bb2e13620N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	f7732e42824233fe325d0e1bb2e13620N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7732e42824233fe325d0e1bb2e13620N.exe

C:\Users\Admin\AppData\Local\Temp\f7732e42824233fe325d0e1bb2e13620N.exe
"C:\Users\Admin\AppData\Local\Temp\f7732e42824233fe325d0e1bb2e13620N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
46KB

MD5
8d52b928f820e0e3ef6b1bf4543a62c7

SHA1
7a9bd4fb91ce08a895c20389ccfef6f3208f7dd1

SHA256
7626291b0d65892353143a8dcaaa214a84661daee8d37366ae8fadf4e9bb0bee

SHA512
f37be3f5259b30a11c3d589255d48e0366da77e1fb1630ae5e6055d9ecb3d7c59d365dba22cc76db1db308bb8a491bbdd450b49d81b6ad735e6d99e935b60a9b

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
158KB

MD5
1e7ddd9d3c65cdd17041e86f66d9054e

SHA1
96acc435d759ef8b9806f46a855fd29e914edf7a

SHA256
3602f5969693c5e964527c509087bba318021bd23568e97343defdb20a657989

SHA512
58754c39433755ef8d409dfa02891ecda15c2d30d51b425e5e7c474ad5e2adb122c7da09c00c16efdce3b66a5ad60a21660b0531f8271e3cf637499eb2b6ffae

Download Submit