a8a30d9df7a22520dbe7492f9592030da6571c6cacc6b03329f5e7960503cb60

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29a05a7e944077283f353dcf73c99810N.exe
Size

47KB
MD5

29a05a7e944077283f353dcf73c99810
SHA1

ba7b2937d3a96ee764755d089f843a53f1fc8dfb
SHA256

a8a30d9df7a22520dbe7492f9592030da6571c6cacc6b03329f5e7960503cb60
SHA512

b3a79401fde67e85dba627d4d9d9fe7cd0e8da4773a7f173a0990021a4edc6f3a374eba74f015c57b163d398c10bf7df3a1d5b1b903154dcc41b99f45c3ba704
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBN10wpAp/lvolGClvolGwTCus7sj0h3MM0h3Mm:W7BlpppARFbhbt7Y7wTCg0hcM0hcm

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4649) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationFramework.resources.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sv.pak.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	29a05a7e944077283f353dcf73c99810N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	29a05a7e944077283f353dcf73c99810N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29a05a7e944077283f353dcf73c99810N.exe

C:\Users\Admin\AppData\Local\Temp\29a05a7e944077283f353dcf73c99810N.exe
"C:\Users\Admin\AppData\Local\Temp\29a05a7e944077283f353dcf73c99810N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
47KB

MD5
3f92eb4869e6c2bc6514c42db8c5b0d2

SHA1
d5351594178ba4508a7c5672e2afb0ae45a38a25

SHA256
4b25db2aa885858d5fd17515aa313043b4bc12af6e2ee142c708c636697a7b92

SHA512
0f02a1deef2d9f9bca9f5e7423378ad84708df25ec8042f24abd5460ce3f2db7182f178e4c5db85f5714986463fb93828ce5d3a4deed44ddb4a04d49ee543059

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
7bcc48675a9680e7ba5cfc0505a22877

SHA1
5eb2496bdf63543e6d67d5e67385f3681e54b953

SHA256
a7009e36b5bfa48abd526bbb6aef32c30fab3bca51e9778eee0af2f6a7f35a2b

SHA512
0bbc9c95cc78f67f1003952d132f6c9853780d7aa346765bbff7a4664c03780a182f465eeaa8339a4b3494950dfadf04cdb74eb68d89d43bc9eb86ae7422d16c

Download Submit