33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
Size

76KB
MD5

75bf1ece637c4d31d4122fcdf40ff0ee
SHA1

5c46fee7a2119338e94cd06b94cd3538d0eab981
SHA256

33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68
SHA512

d0c8948c4b24a1e9e23bbab0d896245f6ecbe7f6f0cc2aae68f6c92fd53575294c9baf96c7fd59b1378bb9d6d24ac0c4434d5be540daebeb4593c49d38a6fb48
SSDEEP

1536:W7ZhA7dAZ1++PJHJXA/OsIZfzc3/Q8zxY5eYm:6e76mQSox5u

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5028) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe

C:\Users\Admin\AppData\Local\Temp\33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe
"C:\Users\Admin\AppData\Local\Temp\33a8482305e922ed1540f90805f46064ff2e3299ce9bc9073b413abf07829c68.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
76KB

MD5
ed75ed95f016650b6c757ebe58514d5e

SHA1
6ccbfe43b01603332623087e1abfecba6c0a4464

SHA256
c178a8f519f5e534830257f53f084df717fa08809da3da2a478af4e4bd798a22

SHA512
94867be69cc97434dc27e1c886fc0ce8d3aa6c25cf574ba1279dbf981f6122895240e75ae063c8b1e55d4aa59b158c81ab101f7bf589f87a186f7f8ae0be5fd8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
175KB

MD5
9e74ba705046d33c8108e090cef35d41

SHA1
49a18c69df91ec2db4e76f0c0dffb6142cfb5a94

SHA256
2c610214cf80bd5ef5f7454ba4c0acc0aad4186fbfeb436384cddc2dfc90e6af

SHA512
87157de8bf2d0a56a245336b9e7fa4782a1c135d4d4d8980becbd3e802c9b7f85cd82828f6720e78d123cc34e070aa52cef51c3d76422484cf3606cf5fe73ef0

Download Submit