31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691a

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
Size

100KB
MD5

f4e71bd16dd33b01fe3e7942185adb30
SHA1

79cc62e578fa400fbbc7f448cdc3dae6a73a5e49
SHA256

31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691a
SHA512

c31de266e6123b55e16833777e8518473ebec1bd10f0ac70c3e83857c1eaee4e65017c8ece487e9c7b1e8af29d906401e5c47a7a86ef194ccb3447a8449a6691
SSDEEP

1536:W7ZhA7pApH9QHwtRF9ESWu0SWutlggalggEpVp+ESIXosbosP42:6e7WpHIyRF9ESWu0SWuDmmSIjX1

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4542) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe

C:\Users\Admin\AppData\Local\Temp\31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe
"C:\Users\Admin\AppData\Local\Temp\31f88864e4e8b0e69707bcdc2aa9ba45a360e5b7bfa056308d1f874b9667691aN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
100KB

MD5
875985b5a94591ebb124352f54fb7440

SHA1
6f3f30e009239e87af83f8005336b23422776621

SHA256
9b1f567c9ba4f93e83e261a241c3a70cdd7626c2c8d1495a3b7cf7f919f360ba

SHA512
6267e3442f4b869890277b7f435690ed799b99a60e44add9c130259408f3647de5777994a9e541a6a27e22beedf06459ead70a58158c18cf4b23d243aa4aaa82

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
199KB

MD5
5343a2b373fc6cacca8e94bfd523f466

SHA1
1f628d37b41ec28a5448b71a7091857070a61506

SHA256
8f017e950a9bf3b585cea994ccf49ee24bec89af2f0aef364074536c636d654c

SHA512
647617b57dbb63969d1ec6c083a852e058c843204bc5f378d88ba7bda7df7facd7c833e2089cac2789fd85f12f7e0d7c7f53a6c41a4ae15083fbaa31209fee78

Download Submit