433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2a

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
Size

92KB
MD5

0e9bbb290ab09c8ac3ee9e2471d5dca0
SHA1

c1da8358ef6634ca37162d5b242ea45bd8c06a6f
SHA256

433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2a
SHA512

1495ad8d9cd7349978bbc2ca961a8ec15d56f8a4c7778be09f8641e1a6f3dabb22c0f553804b3a5b274112eb965b17c6577e82c60b3d31bc774969428b02fdfb
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+ejy0Wjy0WzYgqer:6e7WpMaxeb0CYJ97lEYNR73e+eGG1qer

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4502) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe

C:\Users\Admin\AppData\Local\Temp\433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe
"C:\Users\Admin\AppData\Local\Temp\433e8480f4ff96584b63a75708c7bd72ea7350f9c4403e21eda8e767b4ac2f2aN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
93KB

MD5
dff5dd72db49345a1229769282af9e85

SHA1
dc2de46d86e5738449ee3c080bc8bda9acd1c590

SHA256
ba65f62675792e8cae5a444c5cf2d777e3382fac01c4fa3d199c6522bc4e6120

SHA512
46ef7d0870506c8d3fc230dc15cf64b43e9341ecda51d0c0dc1ff645cf30288716f7dbd8ebf8255747a73ee2ba5b922ce681f2bcd0345d518cb7b9b021754c13

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
191KB

MD5
292c4fd010d7c75efef2cfe5be74cca4

SHA1
ed3bdd4e017a1c1e13654bb414553cc479b0c200

SHA256
68c8cdbf2420b72229b53ffc0f26c2eafc1d5efec6c6f3076555922b3c9bb7ae

SHA512
8d0961c3427f2a37e8b7bfbd468f2846fd2fb45c1725ea367f972b5c9ce1cb2482e403568991b3539fe2d6378e530645057a5fdf2b38d2b40c229c10ecc6b1bb

Download Submit