b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
Size

73KB
MD5

3aace7a5d62d866089e5bd3c6520f7b3
SHA1

4d0422c2d70d0852599d98395bd54e2cf3d4fa4d
SHA256

b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd
SHA512

0e3e6ec7c45a5324d8fd1e31c5c950478b8e6176788133138aca62bb2ff06deaf821166f9f1d284860bbea56ef3f7403119d37bf6a1cbe94aab9fec5f7658ad3
SSDEEP

1536:W7ZppApBULcfpHLcfpX2/Nw/NwmxoPUMORnORdoG:6pWpBwchcV2WxOORnORT

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5127) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sv.pak.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Crashpad\metadata.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms.tmp	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe

C:\Users\Admin\AppData\Local\Temp\b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe
"C:\Users\Admin\AppData\Local\Temp\b43944268aa75eb5fd7d733b62596057ccc8590d2b9dea595092cf7ea1722edd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
73KB

MD5
e847fadc6aa9e3968377de4d9680e91f

SHA1
26e52280c74ed6304ffff62c684816c6d095c2da

SHA256
4c21c18710f8b4a51f8981277ac47dc61a6861daa58bfdb29f051a60cc3e539c

SHA512
59edd1907a3df75d948b913e8a028d8210bcef45f37720ab00b3dbe2d6270ccfa4700d0d68c3041009765525ddb5f87192548b12e07f9469fedfbb1d961f709f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
172KB

MD5
73fb09a76a61727e7e10bf941605f9e0

SHA1
95617a596dab901f17ed067bee02d8be87a00d4b

SHA256
1d9bf54787714252d6f0f34f0c67651271d823925e3b5e8a6e1f0e04d610d372

SHA512
112e441946d87f07f0d43e050dcc3ea8e06cc4f5a97898a88926ea2c2fdbb739c2f727ee0f401288675dbc230904bf3cbbf049d5a3b81ee437427e199b112f0c

Download Submit