2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000

Analysis

max time kernel
119s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
Size

85KB
MD5

7b1ce1633585ee3712f23ef1dbc3ec40
SHA1

4768a196e6376e1181804f99ac753ffd4310ce50
SHA256

2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000
SHA512

9b4c9f143179956feaceee7c875bcee20f4ca4d589db7608aa72b8cadf100dbf7c854790bbb01c4043504cf2f114d5b82178ee0a08e33f6af94e50a1d636ace4
SSDEEP

1536:W7ZhA7dAZ1++PJHJXA/OsIZfzc3/Q8asUsJOLKc/xJtLJtTGLtEraCuw:6e76mQSohsUsUKDtErJuw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4304) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe

C:\Users\Admin\AppData\Local\Temp\2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe
"C:\Users\Admin\AppData\Local\Temp\2254b2d1cacea57077e6f637b1ce5f12fe3a7779b56d2cd15c77341744433000N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
85KB

MD5
ca38c24d74770dbae1a9c90a5cde8600

SHA1
5c86f0edf0e5a24451ca358703ef18fbe4140f93

SHA256
7d7822309fab94d4c7294595295d25f788bf99e745a5335eb893354f3e34c22c

SHA512
97f724997aa4e13b49b3b8404b99641482a382d377b3ab66d8b86d22bf5a5130d8a6f02d558289452105fc11ecbdf10b36d814ae05f648345b48d4094607d6f8

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
198KB

MD5
b896b266a1c260b9371123adbd12a676

SHA1
cd779eb12946f053d12d0ae74c3d759fb13b1f23

SHA256
291a28978cf22eca901bf744ba8d9fe3481300e88b7811901846156851d0fa61

SHA512
86f790adf85683050b7e2ee495b310b208081db332768c5cacb5ef5a2969d06918d75f47515a40475855c1df421f97ada793f226fec69647c7f48060d4c24d2b

Download Submit