a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
Size

76KB
MD5

dd69ee185332320d85ee87df1031cf56
SHA1

9a3731fa719139605691459347a66076c5dbbdda
SHA256

a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0
SHA512

9eba37bbd7a19777f490a36bc8c5449616d5508bed501dd10971b20e373c2b5fd2105b045d3a5c8737169b60f7553fde8b6b45bc6f7ce76fb009e90c06c202bd
SSDEEP

768:W7Blp9pARFbhQSox/6Sox/ME4JAIAepE4JAIAeuDlmlQPc3f6Pc3f5TGotuMOiJX:W7Z9pApQESOHepOHe8G+6E65TGA2Dbx0

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5048) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe

C:\Users\Admin\AppData\Local\Temp\a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe
"C:\Users\Admin\AppData\Local\Temp\a43f2fcf8292f05a8f447b549cc8b83400ac84fc5622a5060e7d8eb2f473c4e0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
77KB

MD5
67359de0524132cf0cf265ecaf320f55

SHA1
d6948b8f17e751343a46cdd2194b737dfc3aec83

SHA256
112e18196979e6275c23ddc00acc628565de4c4476165cce21263d35c6bee932

SHA512
ca92c4eb086f65902f21663391c4056becc586a1e39f7b60bce2a5be1392ebf3454a5d0151a52e985551aa08e94adfb5ae96f5c26e3555faf8d1055ef85344dc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
175KB

MD5
a3e3fdef51fbffc41944aaddd10ba229

SHA1
be8f548ac5d3e16d02926bab04ee9912d16cea26

SHA256
f74b1b0daeb88fee5f8a88f913b168276f4017587364ba7fb9cc540756cb2da7

SHA512
1864f47340eb708e8d0008cbb0918834c5e0e1d82577d8a140faf335a192fdb0508a97b3399480fa5bad09969d6d319b0bff8b2e90d5b8e365349df08b427690

Download Submit