43f2345c4713fbfa1b143c7c6f607fe5b2ed16a7b03bacfeaea31b335450cb17

Analysis

max time kernel
120s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 19:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02a15665e08aae16bdfa6669fecbe410N.exe
Size

45KB
MD5

02a15665e08aae16bdfa6669fecbe410
SHA1

18ac23b2c2148bf81db5bffd086a043e1403b7f6
SHA256

43f2345c4713fbfa1b143c7c6f607fe5b2ed16a7b03bacfeaea31b335450cb17
SHA512

3bae9fd2a7fdad99fdb961f5b25371abd4bafa046ea2cd1e956d52bef7012ffc969a5cf9d4c83bcbb746d9c096c60d00a33b6863f2d1b42481883e5cd9c5f7af
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzscucgFQ:/7BlpQpARFbhNIyFQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4659) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\ConvertToMount.otf.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	02a15665e08aae16bdfa6669fecbe410N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	02a15665e08aae16bdfa6669fecbe410N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02a15665e08aae16bdfa6669fecbe410N.exe

C:\Users\Admin\AppData\Local\Temp\02a15665e08aae16bdfa6669fecbe410N.exe
"C:\Users\Admin\AppData\Local\Temp\02a15665e08aae16bdfa6669fecbe410N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
45KB

MD5
6d5be7ace87484d1e43c4254b68ecf3d

SHA1
97f6d6aead7025c823826f60a4fde2f07984a727

SHA256
2f21939ed8e2d3feff5492debda4c406c0ce9083d0793b63ec46de51ad56c54c

SHA512
4db32dc41bebea07daa81e79aa2eb40526dcfc0f5d2e46c98c747769e58a07cce92016d866de3319a443f6e093d4d33289dd74a5c43fae68d9ab695191d181d0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
cd076bce83e6f77b79eb8e1d4b8ea593

SHA1
4221d1143dc279b3307875f7c64316a6e5091876

SHA256
c8f2958086680f0ed1a464153f77469fa9b351c14c88e2491923a504b3f10684

SHA512
b31828db795cdbee01aaed458c0e1475d3736c8bf8c199326a8f0e52c25d71af21c43dd6a2aab7342c0dc10ed49c9dcb464d408b2f83177cedcdbc4fa9c8d530

Download Submit
memory/4532-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4532-1970-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download