ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
Size

87KB
MD5

e5e2a5abdf93b1abe74546ed7cea634f
SHA1

afd09a01a6c4c2554b656e39b33413ad71617f61
SHA256

ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b
SHA512

d2e6c90075ff30b58a5dbb42c45024a6e3eaf24d030c693ab9846a4ccc6a7d1d8b821b72bc1159a6749bb8c3fcdb9fb9b75784df1a8af3bed6d8848a54590490
SSDEEP

1536:W7ZhA7pApH1d9oVLQthbqbY9oVLQthbq51Rn6b+W+V76uSm:6e7WpP9oVLQthbYY9oVLQthbUvF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2212) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\COPYRIGHT.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.DiagnosticSource.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe

C:\Users\Admin\AppData\Local\Temp\ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe
"C:\Users\Admin\AppData\Local\Temp\ae49783c7f33b5277b2b39c0b8ded7b72d4634231be25ecbdad66146ce98bc5b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini.tmp

Filesize
87KB

MD5
328b0cd7ad7ee76c0425800e12a6f289

SHA1
f35dc3f161a5274ecc2eb44e1d032b2f3f81b324

SHA256
7113aaaa5408aa64789ca4461c4d3fbfb79bf9bcf79512ea81ae90ea8b4b97fc

SHA512
d28c128b646889205377ece4b8266e3a2b7b36e72db8aab29f2fdf21d8a5d733c16f693531743364c4a30ee2249cc143c5837064b27522af078dec1ae9db7559

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
186KB

MD5
79373d40ab8e234667a56f0ab06de902

SHA1
389a7959d06fe318b9f5388e3143ee1b8ba243f7

SHA256
c2a8d6337848a0169eec0f3105f5a34513a27dc96139fd216075d43e34930546

SHA512
431a93c7f2fb903a479fc1537e6f4051a48463053a6bb78be14868d5f422d440f523d4f47609246884af5b13893e672610ac1104e42e99d73f8cbbca9e3b2cd6

Download Submit