a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
Size

36KB
MD5

57fdde5319c37ba788afc48bc826660d
SHA1

cb63cbef3a67955e20e8fe3fe5c45b02bf53b0e9
SHA256

a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e
SHA512

76deab6f7232cd59221840a88280772b30f2732a7d11874cbfcc31689e0e4cc0c8a7fe0a757eb6822344df86ebe99b44281f6a530edf9d227548a11897c5689e
SSDEEP

768:W7BlpppARFbhjbhQYjYY4F2j3TK54F2j3TK/:W7ZppApB1W5W/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Java\jre-1.8\bin\glass.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-pl.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe

C:\Users\Admin\AppData\Local\Temp\a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe
"C:\Users\Admin\AppData\Local\Temp\a4d19fac7137ee3597c2b6a1ffc236bd9a14ce10319f8b26f76ecacfebc8885e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
37KB

MD5
92e9329c33a0ab00ba1b71714fbe4489

SHA1
47ad4c7a9abeb18fe0c46fa1c23c8bee6297f86b

SHA256
f172dbefef3cdcd82fe553e85e6473aaa6cf266dbf6c74277a21cb341f9ec2d1

SHA512
0584510369b521bfa1377ae1c104b8bd158e9cb72df113e76f42a1dace73f2acce0fd0784a0f664c8de1da743a7b8277990e9b1f2c3abeec6829a2ca6a226df0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
a4a270a31aac802b960fc5c6254f1146

SHA1
e62497fa9708f56dc3865a31ad072b44b36b4a3b

SHA256
45e9d5cc508cc257182a2297ce99f126a9f1b8b16799a05548a5d8c8f0439d3c

SHA512
c384385fa43c5af5bac45e67a4881e423bf0d0d2c4a1ccbb57c2311cf88e6c19fb179e94c0e5e41901fb308663b403195cb4d78122568893a04bbb163fba840e

Download Submit