b11eac059d3b76c9873ee28882e7149bac74e484493b34d623246d609c94fc77

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27b2329284bdeb1349a9213d873d4760N.exe
Size

47KB
MD5

27b2329284bdeb1349a9213d873d4760
SHA1

00347ad66206f677a962049d2b031faff1fee91f
SHA256

b11eac059d3b76c9873ee28882e7149bac74e484493b34d623246d609c94fc77
SHA512

461e8761f3f01c09e447e80a7bd0425d170459cc09e0ba0e1ff6b6a5514bd0581ca455c0ea215dd29a8877a7cfe7aa23395cdfa62d97af4efa88af8ce2bcb806
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOd+QRI7c7x6e:W7ZhA7pApM21LOA1LOTRcwx6e

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4673) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	27b2329284bdeb1349a9213d873d4760N.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	27b2329284bdeb1349a9213d873d4760N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27b2329284bdeb1349a9213d873d4760N.exe

C:\Users\Admin\AppData\Local\Temp\27b2329284bdeb1349a9213d873d4760N.exe
"C:\Users\Admin\AppData\Local\Temp\27b2329284bdeb1349a9213d873d4760N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
48KB

MD5
ad627bbed42eb9d4394f0e42dc28d699

SHA1
b5f90654fa82d005abf3f2bb87d44039e4b36b9c

SHA256
c9b9404cbc7343c43a4ca8ee31571a161a2eef3b55ccfd8be7434a162d6fa19d

SHA512
b34f26d38d38249eb7ce60f9ee59fdb4e915c7bee0b1221f4f567c599002effb298bdca0c550a5baf2a109f26be68a619118eb5b15dbb462f12f5ad0b048a707

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
48a033d4222a81422a28a1b919ce1895

SHA1
1346804753b9972549b6b07ecba1b0afa4309378

SHA256
f6de8dfe0fd39b2dcddfa7675fdf702a9cf0694026bc4eb008f637a43a586a83

SHA512
68e5de3e83e6d58d508219e3728c64ce273a4c51e6a8945c421ff4790eb49952e75128f74c7cb478050d94d5f258b360b72db563dfa25871298ab6a23069f030

Download Submit