04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
Size

44KB
MD5

79c534f41de6a1b90ed5c4c8b4aa1380
SHA1

b44969b909bbe82a3efff03b694b3455ae25066b
SHA256

04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6
SHA512

8f13b2908db011ef705abdf5591291fdfde143ff6c975821c1842c880ab0707432da893705b7900785f5830a934f127b8e2c5fac24b275083cc71b8b1ed1a290
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lsScc/:W7ZhA7pApM21LOA1LOl6vScc/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.boot.tree.dat.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\ReachFramework.resources.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLCALL32.DLL.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe

C:\Users\Admin\AppData\Local\Temp\04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe
"C:\Users\Admin\AppData\Local\Temp\04b2d1af1e989694b291206bdc63de759b702c0e0aebdd23d48433101432e0f6N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
44KB

MD5
9180c9395b60742014516540e312217a

SHA1
994f3676efa34718ef13e4a341d2132e6835b48b

SHA256
f3389365e23d1bfb93704bfb72ab84183db35c61414be1b986c20153781fb1d4

SHA512
69c73201f08c9876f0653b8a181e78680435510ea87208a244fe9a0149cb4cb9bff15c30227a61128f9e21c87dad7e9070c346deb3c3cd8e004ed0445ee87fbc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
6f9a205422c6208735d3fe795f38cc1f

SHA1
483de969ff66484b5342176f35102957b523ff77

SHA256
caa7f0bb287de355522a7504148e10f8612e4ec7e438ba97477caa4d4b4fbe69

SHA512
741f67692e0e9064f3828cba61015b95970f2e6082309188095c3c6aab7ba6c7fbe70d42a67ffc87c487b249b65282c4dfd08f735acff33717f75f1c62d2390b

Download Submit