20431a33c5abd2f001d1f4ebb339e67efadd897de316a53f27ce645fbd1627d3

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

335eb271af1297ed05ceba9150e96d70N.exe
Size

48KB
MD5

335eb271af1297ed05ceba9150e96d70
SHA1

81110c1e055c725e890d521dac1432d038449f66
SHA256

20431a33c5abd2f001d1f4ebb339e67efadd897de316a53f27ce645fbd1627d3
SHA512

ebc2cdd8dfb66242630693f09f1005fcfb7a06c7123c39db2992b7109eb75f99c63663fb6008b47fd7a71f407a124c6a81cb44a80ebb32a42fe7429c6a310bb2
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLntvt0:W7ZppApBULcfpHLcfpyDItvt0

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4641) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Extensions.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Design.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7en.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-phn.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClient.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	335eb271af1297ed05ceba9150e96d70N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp	335eb271af1297ed05ceba9150e96d70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	335eb271af1297ed05ceba9150e96d70N.exe

C:\Users\Admin\AppData\Local\Temp\335eb271af1297ed05ceba9150e96d70N.exe
"C:\Users\Admin\AppData\Local\Temp\335eb271af1297ed05ceba9150e96d70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
48KB

MD5
64508b53dcf36af176dcb4f28cef67d2

SHA1
261e7b61cd66c31860e3357ac021ac8128abd611

SHA256
99137830420f3dfa46782679bb7238760877c24de6635ddabfddb55b8817b402

SHA512
c30275637b7a5091433fee96a8ebfc8b7f21e18655f2e96cb9af1a40f7f9cb2a533297f70b3209a01553c83806711f94571ddf706fef3a20ce18a9b5cf91a6b1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
f3b75a0d07a088991740d6e21511aaa6

SHA1
b5463cf9c7214e7664d14ba959968401da801b7d

SHA256
7893dd9abded953c19e35b5bf9e3b73b2630982b06507f9aaeda2d7a3ef5d6ad

SHA512
668bccda30df8fdfda1d1a798065f84ce915fb7dbcfb14644425cf2cb0c00178b8c0329177c35422083aaffcfb1636576c1fed79fc850c8ec06d7ec1aded209b

Download Submit