2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
Size

42KB
MD5

1769d9439981587bb5fc5319a01298a8
SHA1

24444d3530ebf1f46d37bf76e8d007f60512186d
SHA256

2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c
SHA512

aec97899bdb86b9a5cb0d6f087d0f7816e7949a05a2b5a349f1b1fd44a697de8059caaed60c747033f86cec5b2a6d24a1b5d1fc3c1ba9b1153b0fbbade4e4c47
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBNQFrs0AqAJwO1AqAJwOf0VyjVyt:W7BlpppARFbhHFoqAJwBqAJw1VyjVyt

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BSSYM7.TTF.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.tree.dat.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe

C:\Users\Admin\AppData\Local\Temp\2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe
"C:\Users\Admin\AppData\Local\Temp\2279a41b5b4dd29bb9afe6d4796d1544608ec2e6c58a8c551ca3fd92a234ef9c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
42KB

MD5
c354ad97b84f5a63ad75d872fecb5ce3

SHA1
64ad69b60760d18bcd7dd013addd4f924fe3467d

SHA256
97cdccb4a93ffcfaf03b5f483b41a84f8d47bd496a6148f8d02a75f00178f23a

SHA512
321624b0e46c7cd6d07d55fed4659ec34726f0044d8b4d281e9d5f186484170b6c5ecc5f369d5c586e72773d025bdfb9497e9c3e0bcc04431e2ff59b54fc9741

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
7daf0b61f968e428a703d2897096abbf

SHA1
e4449dd44d077053a6ce09296c636d5c8e621511

SHA256
bee341643511ddce8d81aa45d77c38d828365bd36317cbf979c7636a42fa065c

SHA512
83470703eaa24f45777010676cf14b48b213739dfc69568f4ae4240873e5de3c5bfa84c7c58983904b7a2dafaf7dff29272ef1cb0be7da7f63c793b45e92daff

Download Submit