23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
Size

55KB
MD5

e3b4e0fb32694b90d248a786dd954be0
SHA1

59c2c6269254c0b133ce8ef3d072bee600034e85
SHA256

23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1
SHA512

a3e7e64552ffd36455e5bc3313e080f0ed516f4036993080bc004f9178c546c840e2ef254184aa42ce79dc4f5b80288b1e88e36d3e6b181dc22606662cb42131
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFZPsFhiXFhiKQetQeFj/:W7ZppApBULcfpHLcfpyDZPQqfXtXp

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4691) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe

C:\Users\Admin\AppData\Local\Temp\23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe
"C:\Users\Admin\AppData\Local\Temp\23bdd3077d6021ed0964fb8c40e3386f58ca72decd3db8fc8ee3be3cda491cd1N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
55KB

MD5
909283059a955a91fcf65380ce5dd7ab

SHA1
25f9b8bee9cab91bd09e6f0609a79b93623c1795

SHA256
d244b3a016c378ef917291e35a96aaeca6ebc74c522caa328f4116c3d5c3aaa5

SHA512
fd7235ec94f896e51036c38758907f2a874353e2233823fd8d1d51b247d2c87a27577a09d4b8de71e3f077dd541b637d4b10a54c0a243b638b94411270109be9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
154KB

MD5
885c44658354c5f83e6b4aa3fc6de095

SHA1
64a8e49148d8475e1e5ac9daec7dbd46f6082f79

SHA256
c927daed351900ec485b48e8719878e34acedc5f686e9f7e25773356b7d6d493

SHA512
01ff9ce2ec498b665772f24f9f0b6bbf93dc9e515bba51d47791f661a824991a64f099bf5ffe620e579012a9a7cddfd6f65e79ab9284846b6ea4550023ce018b

Download Submit