f81638efb31c8fb54afe7320df67683a5f31942cc7f75e56abda46e9697cad2e

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299251bc9442da32799c3c9fb9d3d770N.exe
Size

57KB
MD5

299251bc9442da32799c3c9fb9d3d770
SHA1

f127dbc04f881960c1e5a697b61c1128333e3e78
SHA256

f81638efb31c8fb54afe7320df67683a5f31942cc7f75e56abda46e9697cad2e
SHA512

1a4f4c4e437497f5c0ef92af659443d18e69023e628ffb04da156522b6f55fd74a83d8d746dcaa8d18c09e290e5a282755b7d787b39e6f05485720e727b91f6e
SSDEEP

768:W7BlpppARFbhFAxC7ntkntV/1HOCi1x6HOCi1xwXN:W7ZppApryTeue6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4665) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-BR.pak.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	299251bc9442da32799c3c9fb9d3d770N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp	299251bc9442da32799c3c9fb9d3d770N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	299251bc9442da32799c3c9fb9d3d770N.exe

C:\Users\Admin\AppData\Local\Temp\299251bc9442da32799c3c9fb9d3d770N.exe
"C:\Users\Admin\AppData\Local\Temp\299251bc9442da32799c3c9fb9d3d770N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
57KB

MD5
4ca7d7f5559446288d0c525a2c604b1d

SHA1
672111dacde972b25b7997e5fb91e2e525db3d98

SHA256
2af67e4cde0e21040bcfdd216119181af63d6709c84da01b4844204a12e52f2a

SHA512
421462d453737de853e6eaee8114b31a1718a604b39883dc2f9da6f96aa1f9b4c6322325c685b20daefc005dc7e45d8eaaefcc8c008bdf3fc867fcc74b6aee09

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
fefb8849bb3a758d441348d18387b1be

SHA1
631996e57ee0aae21214aac8c0ac7027f60eff5b

SHA256
478f21a8fd02ec7614c55ed595e8c9de72275b095246957769d98f1562e0ae39

SHA512
64d12159c936f1af4006ba24b75d16c3b8c21305ac160b27c9e3b25f65c0dc5b5da2a7477212a622472cbee01ed8d7fc13e3bff107c1beb6036ceb8612d63927

Download Submit