cd362961d73aaec6159b98c2dcfdc0c91c51957abb597002a012b16243abb57b

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a3289c32d60f191e296538b4366e90N.exe
Size

41KB
MD5

76a3289c32d60f191e296538b4366e90
SHA1

7bcb3db8f0de34729d56cf40c28cf49d5f6c2b90
SHA256

cd362961d73aaec6159b98c2dcfdc0c91c51957abb597002a012b16243abb57b
SHA512

9fa672626edda7fb1c3d169fc83f9229cad23af63009d8d5ff76c41b2bb7916786ddc5729ef90e95ef9b3e4d2b06778302bdd824fd276d6747796d7b284959d6
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxje6OMmy6OMmIGR:yBs7Br5xjL8AgA71Fbhv/Fzzwzl83/H

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4674) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClient.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.tmp	76a3289c32d60f191e296538b4366e90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76a3289c32d60f191e296538b4366e90N.exe

C:\Users\Admin\AppData\Local\Temp\76a3289c32d60f191e296538b4366e90N.exe
"C:\Users\Admin\AppData\Local\Temp\76a3289c32d60f191e296538b4366e90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
41KB

MD5
dcbded309b7ad85216b89a5807d24c9a

SHA1
0c027167084bf735b865bc95607bb231ce4a56bb

SHA256
8b8bec470c2c1cba3ddeab4bde4592ebc3fc735535c019b6b7b7f9a67c1f23bf

SHA512
85ec586d1ac965bbb057778a10911c29a3bd267489b792a04adc613a8937e6f032074cd3c5775183665dc4bf8611b7e575665d095d56e4062530da09ea29bf49

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
809f6399531e6ae8fc17f340d0dec8a8

SHA1
6dbf5176de36685b56eb6716af4133bbb8af980b

SHA256
bf9687e5882c935f90debfebf521d9773fcbd487a41cf3b3e633fffaa1f4d993

SHA512
a273c541f99d9c18ddb56415e67d47289dde0ae848ae01fa3714fc4200efd97cba078de2a9276384c59f6a5f6831c30012e5c23bf216a94414db6b255864da71

Download Submit
memory/4672-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4672-880-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download