a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
Size

34KB
MD5

6bfb04858152de5d46298a316c2e51d8
SHA1

37c203f94814b02e1f606976028bb6db388d64ad
SHA256

a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98
SHA512

31257adaca022273e4563a9fe4420f7bd49c7c5192e27eee9e27886cd75c1e8d8746be1b1562ad879aae6336b7dcf17af106aad9f762e228d6487d42a42789e7
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhvo42L5FgAytBpR42L5FgAytBpKU:W7BlpppARFbhjbhg42LcfpR42LcfpKU

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5281) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\EnterSuspend.bmp.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe

C:\Users\Admin\AppData\Local\Temp\a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
"C:\Users\Admin\AppData\Local\Temp\a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
35KB

MD5
9d2aded6c25ad29a16a1f5a40a7d5979

SHA1
c8b9595feafb60f4942853ed98b9b3f1094946cc

SHA256
beabd36cc93cf1fc54eb91004b0f0107df4eaa8ab3ed3702f38e6f69f578a163

SHA512
87fb59048c785ad540ecfb89b194faf0a873c5d47216d203b25848b83326a7ebbfc80ddde73afee45790a612e633c5cea4c27f468a260ef850f34b7ffae14126

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
133KB

MD5
6550e3e82f249e420c6e7825fd3236da

SHA1
e0a40b58180533da6da4e069c00d2a8167819b57

SHA256
252b091e705070f3cce951a9508f006160f60cf0b7e7ab124930095eabb47add

SHA512
06fd8d9ef3b1bd8f770a4ef0391906603d28d363889cc3de3323875031fd13b8bff9b0307a5aae08d87aca5ca68eb19f0a2d608f8eb67bd51e15768f30d93f15

Download Submit