834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
Size

92KB
MD5

6b601806cf2b7f75d4c32446f8345f40
SHA1

96a2432d2c2e2c680985f6b1ed3b54a931d8cfce
SHA256

834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41
SHA512

e30fd540f99361428cda7b4b3137ea77874f7016c5d9fc40a81c97e149a0ea90fb9e6d8db2eed2a4b897264b70b2f3651d4e853573831d4312436d445c771fc4
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+ejy0Wjy0WzYgqe6:6e7WpMaxeb0CYJ97lEYNR73e+eGG1qe6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4617) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hu.pak.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe

C:\Users\Admin\AppData\Local\Temp\834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe
"C:\Users\Admin\AppData\Local\Temp\834f0c47f871a9b9483ddc17ec0904372842435b43164df9dec39e93ea635d41N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
92KB

MD5
31096e4be9446a7522d935b2c2db0409

SHA1
8269bbac27a319e5cb82696359a0240b4513fb88

SHA256
166467d423bd6048a085ea05b66d0e82b84fb7a7d31d573c965a29376a12c88b

SHA512
174d7e8aaaecadd4e82988b3234d48cc46030bf1b36124e1eae7a3d768ffff7116fd88709688f1cb6f03dc775e43865e7d05c1e063a28375cff57f595f5db837

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
191KB

MD5
4d73dc65299ee3eeb0d5dab097ec48ec

SHA1
e7e1f321c1dd8ac65685d9949c07530f5f7cca5c

SHA256
e9c06e1717ba3bfa89e8ff3f97272577c4b76314e78857b1f243df66b0ff8f26

SHA512
0d83833d931958fdaa39a53474da01a2b7435842b35761e5b18750442e2e08edf9093130e4d82b6125249c68dafbdd7f866e7999ba0b2130ebfc7999896c647d

Download Submit