363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18b

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 06:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
Size

111KB
MD5

9c60ff6882b0263603d507d9b144e6d0
SHA1

2159f48c3c654e82f6ff38bb846af7ff21a082ad
SHA256

363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18b
SHA512

3a2cf04fc897528f2a331cb5c73719bf701276af8516a1302227000aff43a9ea41f16fe4e31fa88076c15b6caf71227204becebd44ab828c240edfaf9fd51451
SSDEEP

1536:W7ZDpApYbWjIlE77ufL2e+efZwZQ/8S/80PqPIUpCUpiPIgaYgaQ:6DWpwE7oL2e+efZwZ08i8R9Y9Q

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4512) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.AeroLite.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe

C:\Users\Admin\AppData\Local\Temp\363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe
"C:\Users\Admin\AppData\Local\Temp\363eec866503e318a054ca9d0d137c97aecd030278e413b51afdffc1806eb18bN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
112KB

MD5
ab4a6d3b93c7d44f53d8223d95ad6352

SHA1
f2db0c9f5576c9f6ec461c2f760ed198211904e1

SHA256
b4f40b18956201ddfed772aa0192209f61d458a9bce6ad32b82c29c4b2c8897f

SHA512
27d4d1877c60a13da2acd30d19051427636d5d6ed54d8301698a90ad22720b26a504fb1137e94ccc0117bd522f2ac33b84a59ba177b2f0e6206686af2a035a6a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
210KB

MD5
aa874ac5605ceb133805a2d37ab3d5cf

SHA1
e2adb0220c05634755d41e60db6a37ee2fb9f186

SHA256
9a4a3416b08ee74198c048908e0303b6d42dc540e17e164077729d4fcb428870

SHA512
cf43a2daf9a6f4ca7111e516928ee5ff39b13e8c02019293702428ad355c59f962bbf0310876700277bfc10f2d4038d4a006642ee1dab80ee95415080f9eaed1

Download Submit