ad4d7bd80f403d5c3b3c48d5f47a3770ca99f2366e931349737cbbd73ee27405

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b37b5af6f37d14e0138d8472338aa050N.exe
Size

65KB
MD5

b37b5af6f37d14e0138d8472338aa050
SHA1

d41f91a02beb06c0acb0e259d82a1b3367376174
SHA256

ad4d7bd80f403d5c3b3c48d5f47a3770ca99f2366e931349737cbbd73ee27405
SHA512

7d73ae86864d8c1ba069c72534845c18e3b1374bd172831fbe084b866292c0a78a25539737d0fe22d3804069a1be9c7674eafe67bf0b3cbfc6911ed9c2954183
SSDEEP

768:W7BlpNLpARFbhblkYlkuvIYFdJSpXeX4AGAbehQ:W7ZNLpApCZuvIYXJSpXeX/ByhQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationFramework.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.DiagnosticSource.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	b37b5af6f37d14e0138d8472338aa050N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp	b37b5af6f37d14e0138d8472338aa050N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b37b5af6f37d14e0138d8472338aa050N.exe

C:\Users\Admin\AppData\Local\Temp\b37b5af6f37d14e0138d8472338aa050N.exe
"C:\Users\Admin\AppData\Local\Temp\b37b5af6f37d14e0138d8472338aa050N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
65KB

MD5
335b6979654c3621450ae8d2d342f0ef

SHA1
061e99cad07c0f2e7c16c2a8bf7c59ee37e22cdc

SHA256
12d9ce9b586463f7b4c721249939c43ca4bb7e3bfb64e6e0d817f362cd5341a2

SHA512
35165fd3f4ed9f5b039097f7ed3fd25da460f46abe8d10ae572a0ee3ba039f12125a92b3c7636cdf042f5367c8ccc9f7abad3ef0e5786912ea6efeeb5af1f3b3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
164KB

MD5
ff1ad766ad42690fec74101e91ef78eb

SHA1
9f3b84324e8cd79a92cfc9b26c6aaaea25195369

SHA256
970213cbdfb7fb4b7c1374b0a8b0269c9f3381a992be70494ec8cc88fe797728

SHA512
fc7a22a3eead3942d59685400e85c1ea1d3c28d04c4554c061a8069d2e26512eacbc7b51ae659d0cf98dd6594b384881aa1e291d3cab8291d56cd8fca7d4a11f

Download Submit