714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690ed

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
Size

41KB
MD5

49c975e5c4ba16dfac6d45330a2b3020
SHA1

44eb207513761b42329bb95a82ff8c2202a2e9e9
SHA256

714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690ed
SHA512

1a3b56290357c4e788e290906093de5de154aac953d08cf61a16023f362d2f2d947818fc5625f14b97134ef264b8686b63fe3b206e0eb14b388f02230dc9fd5e
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5ltj8Tu8Tf:W7ZhA7pApM21LOA1LOl6Aj8Tu8Tf

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5087) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe

C:\Users\Admin\AppData\Local\Temp\714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe
"C:\Users\Admin\AppData\Local\Temp\714934b61772a392fc16b0ebb52d675b1a810f662dafef4ba21dbc9e8ec690edN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
41KB

MD5
215eee9152da0b75ebe2a09f13794912

SHA1
c588df8f1db14fab439e534985b430b02696352d

SHA256
0aae7eb7e8aae74f308a0573a8b96a35408ee97abc5ccd5c2f9e87a4c11ff1d5

SHA512
40cfbcac3a85d0d67ddc8ce2c70f014883818519e424167b0fb82265bef443bbe847a4a61fe218b2bb33c827cf0f4717737673f03ad31c779c5700dd2ef9cb56

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
fb2ef4e1ab2fa3574dcc77bc0b3dbcc5

SHA1
2c1b0f050b9763d7c5fbf62b27cc524a26ff7bdf

SHA256
30c7379dbb6eff03ee8cac974aafe81da948277ba208db7dee130f57382f8ca1

SHA512
0fe681bd4fd203cedbb080dc5d1ebc2893324649b4adcde9cd82c37b1cdcc346f6fc439c8f65e9050746459616cfc5fa86387f2950d5a80865312b45e5f60bd6

Download Submit