8ea77ca066749a7fe1067a45ec15e7f3cbf2df71a31db51656b9c807dab610f4

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29c4316c655c9c20b1411fb85f961640N.exe
Size

101KB
MD5

29c4316c655c9c20b1411fb85f961640
SHA1

0371840f2e49627636f0c7ebf13fd920182f6c0e
SHA256

8ea77ca066749a7fe1067a45ec15e7f3cbf2df71a31db51656b9c807dab610f4
SHA512

d82b70a049abc70156169c9578c7f7c83dfdd35c6883ac7de1990a27ffb987a024ef4e0df879b25927ec77dc5ca004f75ba11934c9c0370c6576f397c78cca4b
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyBm:PqFF2Ie+effyk

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\GetStep.ADTS.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bn.pak.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	29c4316c655c9c20b1411fb85f961640N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29c4316c655c9c20b1411fb85f961640N.exe

C:\Users\Admin\AppData\Local\Temp\29c4316c655c9c20b1411fb85f961640N.exe
"C:\Users\Admin\AppData\Local\Temp\29c4316c655c9c20b1411fb85f961640N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
101KB

MD5
b87d95c3f03b6e26d794a48b1161fcdd

SHA1
332037e3a95db6b28923c7c8d3cc6076ad26ee70

SHA256
c919672ad40cb87eca778947ab6a3cfa02e37ee8f7f0ce786201bbe46e4f5a70

SHA512
b4bcb95fc20211cbc52af55ac854cce41fbfe48d668f5828136540850369ffb7215b76e0e45e62997235a3610f671361cbc648eaa082c50551d13b6163e01b86

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
200KB

MD5
08d283ba62991a053c16c08a3dd6c50b

SHA1
4f9cefc33005127ffa09c3b5fcae986f522639cb

SHA256
3b4c1073fb84a157bfcec1d54e7ff0fe75c8c2c3bce8fe8a116dfe08798cfd53

SHA512
24ea0b74ad6ebfd93d22ef94288d54a9a736bff44ba7cad9ce9b1ff7cb99f71a76c036bfe57b0075390d20e6c4d9e8c58690a1e5df5af69df21f3b094b868e33

Download Submit