8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d

Analysis

max time kernel
150s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
Size

70KB
MD5

2a42ce47da12774d77e5f781f947bca4
SHA1

be91440fbc7a34cc63dc4051fdab6754dab0920b
SHA256

8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d
SHA512

a0d119664ad490f3e06e6e103e38b820913de8464df88567419d863190212831efd53d1ea692a905999253f08fa9fce562b9de526ceb250e92b908beb2efc2ca
SSDEEP

1536:p7ZhA7dAp1++PJHJXA/OsIZfzc3/Q8LvUge:Te76WQSo6vUge

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\bg.pak.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\he.pak.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsFormsIntegration.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe

C:\Users\Admin\AppData\Local\Temp\8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe
"C:\Users\Admin\AppData\Local\Temp\8a9204930afc223ff08e874446f131bdf65ca9718e8bc2a464a1dc941bf4519d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1403246978-718555486-3105247137-1000\desktop.ini.tmp

Filesize
70KB

MD5
ab10d08941020897931d1f4f64a0a458

SHA1
f77f2b5d30e4c44957fd4cc547b317dd5c60278d

SHA256
324e2c56efec85154c0d60c9af2aa8bdcf61d0b00263ce3b8d3785574ecc7a5b

SHA512
0f46d7aff6f6bde39128b29595935ccd55059f18add09bc63d01f937d5f24ce34710d5bedec9dd183f8eac555f3260191813fc03aacbc453a54a960af979e9bb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
169KB

MD5
06486c58e155d32d057654ec55d116aa

SHA1
bc9cb5f9358ab1a45270a33b45bfe2dbd173d194

SHA256
22f3bff4cdca2cf81d5b87b78377bced9369641164feb7bd018b81c0b826d48a

SHA512
cf246c9dfda07932cf1a5b3c868bfc75c2adc54d9d31083d3a956393bc0cc7fff2b8f9d040bdb52350511cd5e7a13a6015363e752f6db6a89a252a5b0a78a3e8

Download Submit