2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898

Analysis

max time kernel
150s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
Size

72KB
MD5

0ac0b4821bab2596e7fee0cddaec2979
SHA1

a4ef61cf6c1436726ab49bb3468c97f843f2b0dc
SHA256

2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898
SHA512

61ac0e6c4a742345729b4a72e399925cfd8e8dd9abb2a2eab45eabc95bc39cb6c28395c9a6996b9438c15e111e08974ceeb535ffa2a454fa17fdc4bb98f7a51f
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpW/P3bG3b52M+++++++Ehhp4BybOHK4UcyLj:W7ZppApBULcfpHLcfp241BoLqrN1

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationProvider.resources.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\SLINTL.DLL.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML.tmp	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe

C:\Users\Admin\AppData\Local\Temp\2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe
"C:\Users\Admin\AppData\Local\Temp\2ad26743fec16a4df62119da8aa8897ac892f21b1eec4df2dbd4073c4ba2c898.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
72KB

MD5
f9e5278d15f8ca1ff8ffc332be5573b1

SHA1
303eedf73e04e07f52c8f37e7e37bee47b8177a4

SHA256
dbd7edc1525d4f084d2efaa7002783d4a728eae7408d8e07fbb9b8c16c35e922

SHA512
0e79bf8b9fa796263fa61ef87f022668b8dfe0f2720b5c59d372ca7b27e3cfd4771bd9963e94077d17eb76e7fb197f96c53d7447bc14c89447b77bee8c4a6e56

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
dc4f665fa452c5a85d264b7e278e449c

SHA1
5fcae0166b274393421b1d9754badbf8bed519b7

SHA256
656278ab538d8d5a21e5e36c4c63e9c18cc2398e1f92ff1c33a42c8ec8fa8703

SHA512
68929afb83e156ee6ae3457b2a0bf98bf38349e5fd7e4815cab4707bfbe7328ccef065026ed91fd21f4d18270eb4418fabf4a063cdc645feea28f1be23edfd47

Download Submit