31b7bd1ddb63dc340083afe612ce4320b4296403e79784f1ae5c5ba6ad1cd07b

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41655a1e9954303ec5afe9452dced220N.exe
Size

51KB
MD5

41655a1e9954303ec5afe9452dced220
SHA1

9a068c2f584ac7886f81540676147e9d2eaca19b
SHA256

31b7bd1ddb63dc340083afe612ce4320b4296403e79784f1ae5c5ba6ad1cd07b
SHA512

5ca7f92b8c546fcaad68c97959b2c2f1bf0552f520a10983fac1a614f62d014638c8ef1daee4db4c81cd6bca8d00e6978876bb19571d9f572eeb5b259995aad4
SSDEEP

768:p7BlphA7dASbSLJJBZBZaOAOIB3jM2jMO/vY6q/Gum/Guj:p7ZhA7dAxJJB7LD2I2IGYM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	41655a1e9954303ec5afe9452dced220N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	41655a1e9954303ec5afe9452dced220N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41655a1e9954303ec5afe9452dced220N.exe

C:\Users\Admin\AppData\Local\Temp\41655a1e9954303ec5afe9452dced220N.exe
"C:\Users\Admin\AppData\Local\Temp\41655a1e9954303ec5afe9452dced220N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
51KB

MD5
78407383fedcce9d2904f1c503853822

SHA1
b6fc314823c8c6d57e9bb27e901020c6d210efab

SHA256
f19e42ddc81370c4aa638b36d4be00a4c527ef5a4728c23f50cb736e51770c01

SHA512
190cfe53ffb6e6d526c43a3658a717803e83449c3248fb150bef5538146c8211842493462834b8c6047df3758cc40de24a90dbf70261edcc6e540f8aae01f908

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
0a49957192ed4bb09421817956e6dd0f

SHA1
7a86f1c7c52082c97356949da60772e6142aa477

SHA256
4fcaad70f4ae45fc6e110f4da4219752fee2231f3817a407a0103a24637ad169

SHA512
feebc4b3402abc7c963e6880511335d120b59bcb4aec41ab461e5fa1b212cd637d2ce42d05f710f9d70f9b62d54bf489ab17c13d6a8e20466db4feea96068410

Download Submit