ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 23:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
Size

77KB
MD5

45dcb50b97f313996609b910b16ebc4c
SHA1

8caa5b5710a5ff6ae2403f90b65caf46e1346f89
SHA256

ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1
SHA512

b97d5aa5cb0f21560ee3ba7fb3104c6a93b724c353fcfe459d088e8817824a076684c32f461a9e7b2c61b52113bb0c3333549c067bfd94e7648aa39b53eb49a4
SSDEEP

1536:W7Z+pApfGQ3y3RWvfmRfm9sKsSd5ifzWrWO:6+WpDfmRfmhSfza5

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5018) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\manifest.xml.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\ConvertStop.kix.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationProvider.resources.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl64.dlla.manifest.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe

C:\Users\Admin\AppData\Local\Temp\ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe
"C:\Users\Admin\AppData\Local\Temp\ab7e9e2cd170fc164614e4ca0b1e5471c3ba064dc52efec49da0c37b7cd203f1.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
78KB

MD5
9a05f886bc4afc8074a70e2e371cff7c

SHA1
8b5e24166f80e031f5056d28c502fa02efe61749

SHA256
3a849377a628f7267b7e6b239955d33ae68e155ee7fc76589d2a2eba6b54ac25

SHA512
bdc7f83857fc089430e7ea32583d121a95dabe473c536959a4918856f7e666d669b1cfe0ff587c03d09373dd838daad03719eb80e47c2f272cef2397a6f91c1d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
177KB

MD5
1016755d1caadd39c0f67f2e20732cf2

SHA1
b876ba7dfe55c1aaa26c6b653b5095686188f400

SHA256
024e278c7561fd05f58af865983f6e790391abea5f2e2ca9bbf2003290b18b4a

SHA512
d72dc4b8295421389db11828920b2b3be35f58c8093ae120da6e332d8844c954992b090c6c192881c471bc688e1cae1086bdb863aa7976bb9174b61567cd8857

Download Submit