254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
Size

62KB
MD5

53d5b754a3cf1743b1383aecedb6b300
SHA1

84ed04b42b1a4a29cbd6d38578fc4d945af9c8c3
SHA256

254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334
SHA512

218b33c424c8aa31df8d3bdb077d3ce823655be848b0970ebfebfeb6b7e2719d8d4ec53f0043197605aa37dbf6d3bdea8ddf52238088e79a18fbd414fd2b7116
SSDEEP

1536:W7ZppApBULcfpHLcfpyDMJNnyGJNnyIypCypq:6pWpBwchcwDNZq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5026) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe

C:\Users\Admin\AppData\Local\Temp\254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
"C:\Users\Admin\AppData\Local\Temp\254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
63KB

MD5
ef257614b2e1e24d3931f61e21b8931d

SHA1
ba8bae969dbf0c335c8e438e869a21b9de03ec3a

SHA256
99b6d69454ad8c8b9504d505e6da770c13fc5a8699b300c4865b1fbb79d4f2be

SHA512
4bf9074f1aef6f3e57088f731f6ac01cd1de31babf396b251cd0d4f6341be5e84c1a1c22e43f79899948b7f35ec9b6f55dcbcbf5b6f4d88a07529ca67726c1a2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
161KB

MD5
514cfbd08670669ecf0a04da54fbd7d4

SHA1
a96adb26a822dced517d00c1f33e6bf31e90c0a3

SHA256
dab598af942c8c20a796fd53de36052298f176105bf586633619f618b0d030fe

SHA512
2907bb744db0bf5fe56170e79f6767e4591c84a56c226541b69b9339c5006a47fa21ab71929ac8c3fd6e1341bd099d1a022b97fe5baadee0b09ffe9565fa75df

Download Submit