ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0

Analysis

max time kernel
150s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
Size

94KB
MD5

cffe68ed15ba6b3a661a1a9086e53ee1
SHA1

eb53d749470579d6b2a9872fec98fce256efeaa8
SHA256

ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0
SHA512

9e81a1e12642adcacc6e398ad65ad8c51b200f3d21618dc9c55c19f97e07eefe5f4ae79ad4383c63e6340946518b70018c981c4b0c434103e23790de96a390dd
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhG:6pWpUFpEhLfyBtPf50FWkFpPDze/qFs7

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5027) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Extensions.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\desktop.ini.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe

C:\Users\Admin\AppData\Local\Temp\ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe
"C:\Users\Admin\AppData\Local\Temp\ad117da9ede361b1c6b21caf23284a30da8fe5818ad66a580a83249d517d35f0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
94KB

MD5
82bdbff16e9465cccf26610e8723bd61

SHA1
001cfbdf2d8e29c1f0d2bdc97b64041212d1cf02

SHA256
8b2c44b874f7b48e5485adb08c913b2272570a9c4e1a156beea833cec723b5e0

SHA512
365820192acadd6cf530a9703575e8ff73f8828d1bfbc422e61a34d9d08b6d24f48d52a4990792190c3b303d38bf53e7035b52d8c49b473bf3b3b1cf7b905dbc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
193KB

MD5
cc752fc6e14e843a4046e795faa8dd20

SHA1
32c2d5648b5db12856ef9a531fb17786165437d9

SHA256
a448677d53f750928b6400d0825fee759e0e2eb04f8c8f8767e555cd5a4edd2c

SHA512
746d6d901e8c97411b708fa3dcd0827b5abed113d8c9fa1e3c72a09b69b189da73fd42ee46bf90c9b59a3a2d77aee0477937f0017f96a2f4a5c2d9bcd7e9061e

Download Submit