64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
Size

33KB
MD5

5aca05ad27dbe9956f57334615eef070
SHA1

bca997085769e64f6ec6cd60527a5713d6bdf5da
SHA256

64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800
SHA512

3179c956007050dd39dc2c230095d4131cc213c33a73233828b3bd0b61b53e36b820b98ff83b036ba9671db0dee7fc24bedcbabd6b4aa68c60d50eb26bd9fb4b
SSDEEP

192:tACUADIY0Br5xjL/nznlAgAQmP1oynLb22vtI0zWXPXTRY:GBt7Br5xjL7lAgA71Fbhvt3F

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-REGULAR.TTF.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms.tmp	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe

C:\Users\Admin\AppData\Local\Temp\64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe
"C:\Users\Admin\AppData\Local\Temp\64aef015ac1884a546739b9dce307df12e91918c092337d335c9ff314f5e9800.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
33KB

MD5
76e20e9569049f17f00ef17c99488d38

SHA1
7373826804479affb005b04061c7d813c82e236d

SHA256
f2545c71177a0e44fc3a170e118b0e80a778b06fa86a077e29a20fee747b84ce

SHA512
bc14fd4e1706028a3c936bb8aff14d2edd50b2655c35e7c05f3415c5f5565a744fde726b41a6f23385bd75808e137e29a8cbe455f071d2f3d419aeda398aa89c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
132KB

MD5
ff448bbe929b05e402429fe2f4cebae1

SHA1
4d889174f484cf852293b64bffc80066d8848a37

SHA256
74d7ce468b3b2856e9e74bc882515598bedf78357e84d10b57de6e9ff25f6232

SHA512
afb416044b952511c92f896dfda97e2fdae89d456efa311eed5e709785d7cad781acf834e9f3163b4f4ac17c4d3246fb917a57bc5b2e0a67db27b926a662f832

Download Submit