44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 20:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
Size

54KB
MD5

6191333dac3ed0f391529a1a9cbccb34
SHA1

3e3e5ed62a2e73248cd96ba6ffed7160798896b6
SHA256

44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f
SHA512

44de5800d20850d9c841eb637cb7ee90678ff2de2ebeea4f9e3ef98e467ed62e14c8716b12a2ea68f95522246d3bf1cb5c369af2f1dfed26f4cc234fbae27fc6
SSDEEP

768:W7Blp2sspARFbh5YSfff9n1oXKCqzEIn1oXKCqzEqBBBgZJZr:W7Z2sspAp5YSfff/BBBunr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\tr.pak.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe

C:\Users\Admin\AppData\Local\Temp\44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe
"C:\Users\Admin\AppData\Local\Temp\44cb3f76cdfe312fa18f68b6c6a5f74623a6bd1555e4d69abedbfd5a5097717f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
54KB

MD5
b06c211c6b08f17c9aff6d4563eb88d6

SHA1
4eaed25a5da174d9f63a8fb51f1b84697f897baa

SHA256
93643d6d40ae11a4a44376d7942c5aa34bdd7706018f7ba0e46b0e841b8a18a2

SHA512
88532a1930437ff1cabda79a4ad0449b212c26979710690748468a9c150054e1478403e5403d02ff901042fc1cf42e966ed006d6caa2f686a6dc9e906468f56e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
153KB

MD5
6948a8d1cb9836f57183db118b324dba

SHA1
f77e0c9f8858a98fae978b8083e086635de713f2

SHA256
1963956a2f4b1312bf34cac5b2cfd9857987160287a3d5d31e677b5f5363a12c

SHA512
ecb884e7e80814c02ca18c43e232b5a6c55265005b98fe8ea95df2f293ed3f246442486d1f5310130c63a8a3e4a1780adf84a9192ef26f9a52e20f1e9ac53737

Download Submit