0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
Size

196KB
MD5

bf173a8a59a178e67b43dc26c02407c7
SHA1

da362f7b41035776f0fe902d0d751d4a37a8df71
SHA256

0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06
SHA512

cefed7996f480f433ee7ea7430482a8b2c826368bdf7bc701a0dc97e7645042690e9bed17828fd45784ce7cabbe8abcfccbbd3eb9e89d3f59233d207e153fe84
SSDEEP

3072:6e7WpMNca3rytOkWpXfnYRl2l/9HSFHzJ0lBJTzk6:RqKB+tOkWKR0iJ0lTzk6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4683) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe

C:\Users\Admin\AppData\Local\Temp\0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe
"C:\Users\Admin\AppData\Local\Temp\0a1309012a4bf9e028e1e6037a6443a4f27445ffd7e0107fba40ce0a56c73e06.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
196KB

MD5
00825d54f82d6268c1ce3e0ef9adf666

SHA1
261eb537ce27868335a1a30c5699ca37bffd7e83

SHA256
3f0b1605e02e3c88b94e54373da9f5e11f03fa1ed32972b365676eaf124d3975

SHA512
f99aec68a9d7f59d0b758e457c5a337b69a9d73242f9998d667a8c0af8747419fa627bc65520c36dbec9b06fb967bd9f9a46ce791cd75dcf7044f7f6b4c0aacd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
295KB

MD5
d7fd161c38b8ae5211333b97035197dd

SHA1
0760349490b2538bb3562cbdfe74854a33dcf8cb

SHA256
2b2115be951776fd00917e2ff60210f7d63ddca611637d44a787718cd0a1dde5

SHA512
400cfacae8780d1a8d083072e1842614a9608d2a5eaf4111dfd3214b2199045240982ea982459a749d9a9e7a1a88ed406c1a77741a8cbb5b5cf5bb752b72f10d

Download Submit