714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690ed

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
Size

41KB
MD5

49c975e5c4ba16dfac6d45330a2b3020
SHA1

44eb207513761b42329bb95a82ff8c2202a2e9e9
SHA256

714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690ed
SHA512

1a3b56290357c4e788e290906093de5de154aac953d08cf61a16023f362d2f2d947818fc5625f14b97134ef264b8686b63fe3b206e0eb14b388f02230dc9fd5e
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5ltj8Tu8Tf:W7ZhA7pApM21LOA1LOl6Aj8Tu8Tf

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4701) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\desktop.ini.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\CompleteRemove.MTS.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe

C:\Users\Admin\AppData\Local\Temp\714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
"C:\Users\Admin\AppData\Local\Temp\714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
41KB

MD5
7369537afda27e9144cc3944efb6ac41

SHA1
171359c642af96aa6f8a5aeb774217a04bbf9cc7

SHA256
5039a4651ebfd935ea42abeabab5545d5cf57f0b0729703f4e04d3e0d3e1411f

SHA512
3c3bf2babcf88abda00f2504e91b08cf58a0ef102cf1b96e811e3ec3360e148e6cd75caeab7bcb67ff65c0ecc4961bf203b12b8de2090fee65aef29d0a7efce0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
d4f8ab938afbe5516b781dbe8faee686

SHA1
f8c6905fa2beee23eb40fad75cdb4759f52a4609

SHA256
6320e6b9a78251379c8a407d764d9c6056f5b5ce6bbb5ab4d144306c5a4455f4

SHA512
05e758f35c1058e7bc2b95ff5f8ba579563423c2ad17278f0afd782bd5c1e82dde288fe2c9460f728b1df3d3a577cca4675dab2cb6ddc1579f7d6e1998161620

Download Submit