8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
Size

47KB
MD5

5c19f79a3b5f9625325a1b8e135569d0
SHA1

908425129a2b85d03b858af86264bce93bc58111
SHA256

8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978
SHA512

1074d4a51e4bc3953779545aafbbea25a3be4a27f175533ba82fd0e084bf5696458f655accc141407581ba4cb46ce2ef19ebf86ccc376f8347b8b92e73826348
SSDEEP

384:GBt7Br5xjLfAgA71FbhvtPcNOF8F0qOF8F0PDXxhDXxW0C2CSJHrJHi:W7BlpDpARFbhmauaLXxpXxW0C2CSJLJC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.resources.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\local_policy.jar.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Json.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe

C:\Users\Admin\AppData\Local\Temp\8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe
"C:\Users\Admin\AppData\Local\Temp\8f3620cf4995d152abdca1123df9c54094374bb218e07e8dbe3e37bac914e978N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

Filesize
47KB

MD5
9cdb2ecc267e06dd6e9f946690cdcf65

SHA1
17ffeb53b39f15748948ae94f4e5f0b992be5eea

SHA256
4300031855b8a0097de138bc09b82144d7f973edceb6b9bf4984ec2abe04ab09

SHA512
3b96615c628e4e67efd43378d0974b46cdd0ebf51d9d5e27716d6caa92ccab587e906d5afc36774a2ec3b6b98c399d870d2ce8b4b60878bd1ce7afe3ee87eb94

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
c5450628276f5606717ceb52d7e7360d

SHA1
b4b10ab44652bc5b26b787a2b116eb125235d9dd

SHA256
26e67f7970520c958f47465adc432faae84716a1d4fa1c4b5fd911e5cda3ef7a

SHA512
f950400df78ca4d8d69d7f95cd8366753a6a79e7093e275639b1ec721e3378cb852e68cc76cad6b1b105e17bc59edd37442e56bbea62dffb684bdbe5301b0758

Download Submit