00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
Size

74KB
MD5

780a0eb04d1bbf9827ed611df5b0ed9a
SHA1

912466927d0da0c737358e1b9390c125d9c67eb5
SHA256

00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919
SHA512

17ef2f90c562445a881a03d38fbacfda0d5fe41897f3c70529200fa16e504d26cd4ea6e85dd5f3f10f2fbd762e88766f6f08bbda96538ad08324d41857b082db
SSDEEP

1536:p7ZhA7dAp1++PJHJXA/OsIZfzc3/Q8Ue+bCe62R2J:Te76WQSotbCe62R2J

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5023) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe

C:\Users\Admin\AppData\Local\Temp\00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe
"C:\Users\Admin\AppData\Local\Temp\00a1a3dc3b36262bd12c295800605037e5526fd37ee723325a64558938ee3919.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
74KB

MD5
3d7bfbcf18f4d3387c31d973f1c91a50

SHA1
d62996d9390f25c48d7e47af20e60be087b19d35

SHA256
c02ec1134ee33453a4131d020cfe0c3b7ac0b87ec89ad481fbc6f5c9b00c5986

SHA512
ff158e4387fae4fbd9d29cc9509560ebfcee7c260ec26a6b1631f61748f119499c11c245d8d85774d4d095c602b05ba7a846f738d19a71b24a5e8d414e053ee2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
2f149370b66d207cb75c6f335c1cf0f9

SHA1
62bb41f469a2af2e611ac3dca612cd88efbaede8

SHA256
6a267a1502d3141d83551fcfbc1c52f570ff896ec1ece760d6bea5d78c586263

SHA512
08c23d6a1f71ce95e27e6acd1cf3d599a83db1863549297894d83ea0562195892ec46c1d32de2907a0790d1a77a7cb3dae9eb11b5a99be95d6be8978e42e983f

Download Submit