dbb59fe3de114613ac4f8bd8598f6bc35aef1c577ee5fd36d9797de80a819a4f

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8389cead0fec90d623e53d0224e503b0N.exe
Size

51KB
MD5

8389cead0fec90d623e53d0224e503b0
SHA1

f578fe42d82d858521d38fc51f177a2d6d2a767e
SHA256

dbb59fe3de114613ac4f8bd8598f6bc35aef1c577ee5fd36d9797de80a819a4f
SHA512

752dd54aeea0003f0e440e20ffd7dcdd6bf3df07d6f1189ce2c5e9ff1aadc9ca0abefbdf1e4f576e4bf509df0b644ce5f6f18c68f35446c8e07b21ecdb640512
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/Fzzwz72Jwuq2JwuR0U0IOe2eQOUaHOUae:/7BlpQpARFbhNIiJwsJwwnZOe2epke

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4650) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp	8389cead0fec90d623e53d0224e503b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	8389cead0fec90d623e53d0224e503b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8389cead0fec90d623e53d0224e503b0N.exe

C:\Users\Admin\AppData\Local\Temp\8389cead0fec90d623e53d0224e503b0N.exe
"C:\Users\Admin\AppData\Local\Temp\8389cead0fec90d623e53d0224e503b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
51KB

MD5
75d9b97c0608872969b2abe2951d242a

SHA1
b58fad24f5282e37ed32dc3a024970ea1e56c4f1

SHA256
827ec484c594d8739b6badd8375ab680075cb5699a4e9cd1a35c7c45fdba57b1

SHA512
86ace944eaef00750e8d674d03757be7cc395c8c64100348010285668a5f72d05510c00563b4452ad60205f9db6f7427b68bd11b2029a5c93bc4035283d48e72

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
ff0edbd29ba5fee4fdf0059c893cc944

SHA1
955c2a6c7fcc73762996f8c32fcfbc5f7b50db09

SHA256
06fed83c548a93be5e187892554b4b38821cd142b8d82d0b5a9d61dba9c4ea00

SHA512
328bc17b8a09e645442ff1bb7c5291345fa1186f15737a6c08d01c0e39158a8f0108505af614067e3c5b722d69d491b98685f67404263428a9a90e3dfdef10dc

Download Submit
memory/1728-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1728-914-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download