f01ca8ba63050ca886c228e5e69e745c50a2e70e98289873b08aa0399cfd32bf

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33c1df33d469f93f84023fa62e429660N.exe
Size

79KB
MD5

33c1df33d469f93f84023fa62e429660
SHA1

fbcc19a7e5ac64d1627d176c085eec85a75af1a1
SHA256

f01ca8ba63050ca886c228e5e69e745c50a2e70e98289873b08aa0399cfd32bf
SHA512

13ea4ac45d8779ebd274befe096368e0ef459111a4373cd9774d43851fb197831a1ccda802a92307e9892f0b8f23e3f3bcf51bb317e6531993a83cf49006c420
SSDEEP

1536:W7ZhA7pApvOsOKM4HBhaGwOQ54xEIjl0i/:6e7WpRaSljB

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4619) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClient.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClientSideProviders.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp	33c1df33d469f93f84023fa62e429660N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp	33c1df33d469f93f84023fa62e429660N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33c1df33d469f93f84023fa62e429660N.exe

C:\Users\Admin\AppData\Local\Temp\33c1df33d469f93f84023fa62e429660N.exe
"C:\Users\Admin\AppData\Local\Temp\33c1df33d469f93f84023fa62e429660N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
80KB

MD5
65894be3cbaaabacbf9cc6ad44807dbc

SHA1
29c4185b80443ceb6b6130455133a0358b608b58

SHA256
28e9ce79d609d7e052ab8a7d440cc2b9bde832d4eab1a8344db01f74ea6fb703

SHA512
f7441d0759c5c8f3db24f804d19fe9cbbb7336b9582810e44cedec5d0f80eb8a73d34674bcc6317709ecde03d2b213a1c29837e9240112f2faaa0a8b15b6b730

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
178KB

MD5
774df98b739669ddecf851d228a44ecc

SHA1
03688384362e7dab6cdc32a66b5372ff3a038ff4

SHA256
cce102ba4a9068b37a122d616bd1b61f1f260f742f6b85cac9e269eeab71f254

SHA512
e6990930193e9d42bc3b6cf810267dd706a69bdbbb0b7b7c7cc9fbe5211a2594841f40daf8e64de62627a194d61366d65c9352e812d80aecc254d85640d3eaad

Download Submit