Analysis
-
max time kernel
119s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 09:16
Behavioral task
behavioral1
Sample
a191ea807515079c5aa9426c80578080N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a191ea807515079c5aa9426c80578080N.exe
Resource
win10v2004-20240709-en
General
-
Target
a191ea807515079c5aa9426c80578080N.exe
-
Size
22KB
-
MD5
a191ea807515079c5aa9426c80578080
-
SHA1
d9e5a5bc8334c7ee891f9c47d072d64de7dc5a98
-
SHA256
5abbb051419b4ab1b987b004f34b834da065267699b7b3c69c2a15c83c37023b
-
SHA512
b9240e239541c21a9625051292d3e2feff73550a2e04720bdbf8ba06f8621a8d821b524b7ae78e32e65a6588153c5068bd52dc68e700991f03cf35336917fa4e
-
SSDEEP
384:QOlIBXDaU7CPKK0TIhfJJblDZblDZaOpeOpWB3j3cbNQj3cbN3EFEA:kBT37CPKKdJJBZBZaOAOIB3jM2jMa
Malware Config
Signatures
-
Renames multiple (4373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/1980-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/files/0x00090000000233f5-2.dat upx behavioral2/files/0x000600000001e6e4-6.dat upx behavioral2/memory/1980-1038-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\cs.pak.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Google\Chrome\Application\debug.log.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClient.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ppd.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\7-Zip\Lang\ko.txt.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_100_percent.pak.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp a191ea807515079c5aa9426c80578080N.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp a191ea807515079c5aa9426c80578080N.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5fa7f4642f2c71dde683f9dba4d59e0f6
SHA1f35430feffaf4094c1e5ef72b925f366784773f2
SHA256b5a838ec8837c0142b690e676c471a32d38fb4da1c6a077573f3c7e2c8075693
SHA51201d2fa4c1ad03a58ba734fe730a158fe21fd523f24e74d81c2bb4c19f6a8216c311a24955c2f2d74e36e15a3a41f927ae67ba43affc87c1d2be9bb6e25667362
-
Filesize
121KB
MD583ec87c3ea9596dfd7db633754d21d4e
SHA10eb7a968b3c9be134b1af0ba0764473c112f502b
SHA256a7679c64397cc66555bdeb1b3f681636f6ff1a3c33bf77bbe19272a63e3bfd80
SHA51296c1c08b1e05d262f6980935dc8e4531a653b0bf76e9ada81968bb4d376eaf2bb2abed5349fc61507f60b3da1371d74e61330151d1f31fbfa023bc04e4106b62