7c9db397b3e07a39ba258e08c439b69842afe41046983cb85791dd51c7c6fc3e

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4356f96ceb8b571c8cf80c95d598be0N.exe
Size

48KB
MD5

a4356f96ceb8b571c8cf80c95d598be0
SHA1

f20faf0c895bd8df9b2cdd3234e57701decf7e7a
SHA256

7c9db397b3e07a39ba258e08c439b69842afe41046983cb85791dd51c7c6fc3e
SHA512

f6d369df8f7fd0150bc414d6ee5fee81582dffb0f51b16dc0f4a8e1e30d440c2c37d7ba5861a87a9947906a6d4173a4f9f61474d68c41f891b6eba16e3f3202d
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJwRJofJoTy6H6p:W7ZppApaJofJoC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Java\jdk-1.8\LICENSE.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Primitives.resources.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	a4356f96ceb8b571c8cf80c95d598be0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4356f96ceb8b571c8cf80c95d598be0N.exe

C:\Users\Admin\AppData\Local\Temp\a4356f96ceb8b571c8cf80c95d598be0N.exe
"C:\Users\Admin\AppData\Local\Temp\a4356f96ceb8b571c8cf80c95d598be0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
48KB

MD5
20a1a6c3e5b4a6cb4490ea1fdfd8bf14

SHA1
e01383fd8e07bd8bc6e093320f0edaab475bb656

SHA256
d0fadc04a314c53359cc1e90ece1a0c060947354c51eaa3a09a1e66025273867

SHA512
eab9fbf150bb48e3d9b5955e0a16d9213d7abf86d604d8ed9475bc338411a36a24070841e283ab238fb9d86b415d6fbc0d9a7c602f646e3b9d90986d66745ef8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
0f56c5a00206e2246fbf36085c4bf947

SHA1
e1a6241ae6bd6dfd8cb41f37143b5337b049d66d

SHA256
f30aac413e45fbd7c925484ecd83fc1d019fc123657b22fb95fa5415c0727aa0

SHA512
a418cef9ddc3a46023e10cbcad5c2182fbdbde2d4aa008e0bd511ea5f785f4a51b4a121712ac10d3a6ae87f114d4fc5af066a2c9a5149a108ba859635690c147

Download Submit