a1daf78ba5eb6aaef1913dc0e69ad2c9dbf94bd46d5f552ecae6d824a31c774f

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 04:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4dfdf9cb4039b57c0fcc62716f52dae0N.exe
Size

70KB
MD5

4dfdf9cb4039b57c0fcc62716f52dae0
SHA1

f774db1af1553b30a18130ff90dce5f78fc411f1
SHA256

a1daf78ba5eb6aaef1913dc0e69ad2c9dbf94bd46d5f552ecae6d824a31c774f
SHA512

01927d22abec92f3e463f298873da2aa97fbbe13695e79758ae0f6ab1bfbb0dd9602d64959dab7d9281a3d445855721a8209ada234595f827d589619c6dae33c
SSDEEP

1536:W7ZppApwEwnmJARJAaXxXNJdkCKPuJdkCKPXa9Ia9l:6pWpUnDXxXV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TextWriterTraceListener.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jdk-1.8\COPYRIGHT.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	4dfdf9cb4039b57c0fcc62716f52dae0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dfdf9cb4039b57c0fcc62716f52dae0N.exe

C:\Users\Admin\AppData\Local\Temp\4dfdf9cb4039b57c0fcc62716f52dae0N.exe
"C:\Users\Admin\AppData\Local\Temp\4dfdf9cb4039b57c0fcc62716f52dae0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
70KB

MD5
53f6d388b0f8dbd8c1df7fb04a966ebf

SHA1
4609532e19a46971338c018d7f14170a9cefd436

SHA256
19425b026b255df597130d743f0cccc26838af82625e9c5c5502f37ad3ef212c

SHA512
bd1d77a9c2d9d57f90799bbfa9969d1572044efdd29eb6c49621a325ec4768c643af7a938b8e3ffda862491f80129ca50cdcd7da0f594cebfe13fe535d1c2868

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
169KB

MD5
740af7c44e5c0d0c696c2d6161fb2ddd

SHA1
ba042af98729f94f87c1efc747d512db4a6fe14a

SHA256
81790a9817b6c5d93abf0d536dac3ee0893aa839a9b444fbdbff55c96a3a4d14

SHA512
393ed15c9fada71c4cb0934c3bad1246c7d0bf0e9aae5ecedd2d94e571905b709b4a018fb466735d91054c7fcc931f3d2ceb7fde82f57eb5cb1e5fc824743376

Download Submit