a8a30d9df7a22520dbe7492f9592030da6571c6cacc6b03329f5e7960503cb60

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29a05a7e944077283f353dcf73c99810N.exe
Size

47KB
MD5

29a05a7e944077283f353dcf73c99810
SHA1

ba7b2937d3a96ee764755d089f843a53f1fc8dfb
SHA256

a8a30d9df7a22520dbe7492f9592030da6571c6cacc6b03329f5e7960503cb60
SHA512

b3a79401fde67e85dba627d4d9d9fe7cd0e8da4773a7f173a0990021a4edc6f3a374eba74f015c57b163d398c10bf7df3a1d5b1b903154dcc41b99f45c3ba704
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBN10wpAp/lvolGClvolGwTCus7sj0h3MM0h3Mm:W7BlpppARFbhbt7Y7wTCg0hcM0hcm

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (337) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\directshowtap.ax.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\sonicsptransform.ax.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\fieldswitch.ax.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\PipeTran.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	29a05a7e944077283f353dcf73c99810N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29a05a7e944077283f353dcf73c99810N.exe

C:\Users\Admin\AppData\Local\Temp\29a05a7e944077283f353dcf73c99810N.exe
"C:\Users\Admin\AppData\Local\Temp\29a05a7e944077283f353dcf73c99810N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.tmp

Filesize
47KB

MD5
76ba00e259958a52ee3ca42ef1d3eba2

SHA1
ba910334401ad7ca2533264f26d7ea34f3dd3517

SHA256
41b330b40dd2ff73a8fe8b920463d0299849c8a1331497a2ed4e74714eca49b1

SHA512
ca0c4bd84f2fccde79a62e1553846245120176d400d9539ffe3314f61320980489076a9551f5435b675c096adc48540b2e62c977dae0a63a382bb5270f0ff6cf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
56KB

MD5
6834fd8dc9f62e17a52265d41e96c9c5

SHA1
dda80b262d56809f13448bf55a45d8e91df6675d

SHA256
f907e26312dea6baf59fd8d519c96ad2912dba2fc84a01d10f44261c1ee87c7b

SHA512
d3b0f844c6d606acfc4b5238f7d9d31cb32c8a2da46e193fbd76b8d81289c898984358975bdb4a3d92088aebf8328ceb79057d993b38bacfd694cd2374e2fde4

Download Submit