980bd8cb442f5b771362babea4b6b1b9bee582569854a48b3f6c96eb4995b396

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

232c59784d50a8ee5921bb0950ca9610N.exe
Size

133KB
MD5

232c59784d50a8ee5921bb0950ca9610
SHA1

bcf404082073c4c007796f14ad02185fbd5facd7
SHA256

980bd8cb442f5b771362babea4b6b1b9bee582569854a48b3f6c96eb4995b396
SHA512

b5bec208708656d102d5fda6c136e567805022d2f7b6e5d3e8bcd3ea1f3bbd15741018af79cce017c8a48349cc285ee15f9716f0b596ba937ecf99c9cc9a26ec
SSDEEP

1536:W7ZhA7pApMaxB4b0CYRHyE2ncwEoh4WXW5lhyYrq+gykkQ4y9ctO:6e7WpMaxeb0CYjm1Jgqt+JkkDyX

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoDev.png.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.SystemEvents.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\HideOut.wmv.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp	232c59784d50a8ee5921bb0950ca9610N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	232c59784d50a8ee5921bb0950ca9610N.exe

C:\Users\Admin\AppData\Local\Temp\232c59784d50a8ee5921bb0950ca9610N.exe
"C:\Users\Admin\AppData\Local\Temp\232c59784d50a8ee5921bb0950ca9610N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
134KB

MD5
e47c472db9812fa2392c2cfff1709004

SHA1
7ff6ee8d1959608338272eed1dd46a030688cb80

SHA256
2616da76a3858e05ccacdc14c02422c7c876803709001c0aa70d0351c1b4f2e1

SHA512
c5c80c9f2cca1f75a5626bf62ad46b6adec71cf36a4f20dad716774a0a4dce079737a65d92db33080125bd849b7ce11900a5c0bef80f7f2a5b835c6e18eab27e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
232KB

MD5
043bb5df9ef6872f15c87a55ee77776b

SHA1
6f38658c601fac0c127489097ca7e3f3cc19aeb1

SHA256
0ffdc967216f3b1e78cd187014d66be93d78ce1d3042a008a9d45be8e7b049b6

SHA512
51941e0074706efd5cb5b3dbb24edcf04962600dcb8ccb946d9b81e4a0bab69df41ce1bf543c9b9502087c1a41682e675d1a0d93bd9ee3e485a7e698c891d7bf

Download Submit