09cf8a3a69ac7a9e77ad1f2b1f6497520d3544958b671cd4999fbf78f6eba4d8

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b333d4122c80b7e6520cce97882bfe0N.exe
Size

54KB
MD5

2b333d4122c80b7e6520cce97882bfe0
SHA1

1f87673d3618e7a432fef6d099760ab207725051
SHA256

09cf8a3a69ac7a9e77ad1f2b1f6497520d3544958b671cd4999fbf78f6eba4d8
SHA512

60fe6238daa4622f8b140b88f7cb86066becedbad823b5284bc54b1c4f4e5afdaddb3e3b4183673fda7f5a7c060aa662d5341f8c75c9528f3e1c719e287d3d35
SSDEEP

1536:W7ZhA7pApM21LOA1LOrtkpt6UrX4sSeCQCP:6e7WpMgLOiLOrtx

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\LINEAR_RGB.pf.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	2b333d4122c80b7e6520cce97882bfe0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b333d4122c80b7e6520cce97882bfe0N.exe

C:\Users\Admin\AppData\Local\Temp\2b333d4122c80b7e6520cce97882bfe0N.exe
"C:\Users\Admin\AppData\Local\Temp\2b333d4122c80b7e6520cce97882bfe0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
54KB

MD5
053a0f409431d68993590d0f17129e26

SHA1
dd2482625953d7e999851f21a427b91bb19efede

SHA256
9586db869a7b2cdb242816dc2f66ddb5859c5475dfb8bad7f4077733d28358c4

SHA512
fb9e70324cef4b7de8bdfc1433d63a81fb3e18f3375ffd9ad5f974008be3a5e8ec7a12dde59fd3fdf264e4496f927ea6089c8eebfd724ef524969e0bb7bf69d1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
b4b8a237fe23e5b667e93bd15f31c58d

SHA1
78193160c3428e62dd328de3d76c5dcd307137f1

SHA256
2b667e7b087c33f9429d298c3c61760abbf1911576e194a1f3c07f47140c64ae

SHA512
1ebd3a1c59a801a5f94179bb2969dcde1a40ff04e60a826cc333e48bdfe5fedad2609dff119993c0b2123dab3e9eaee5f320c235fa7b078074be6e4d6fbd5982

Download Submit