afd0448a740e3d7a03fc35e81955930f264ac38f33c9e4ff12b12cf8609e41a4

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d18444a4ba422403bd973bb406ebe90N.exe
Size

102KB
MD5

4d18444a4ba422403bd973bb406ebe90
SHA1

260e36779ef4bb44fed714ad3a0c0872f50d60d9
SHA256

afd0448a740e3d7a03fc35e81955930f264ac38f33c9e4ff12b12cf8609e41a4
SHA512

24f289a405b48e170c08d292bd41e3f402850b9b1052bdc5599f82cc832814b558b39524b53127122c503c94637bffe4282d3fabe2f099b5f112b03e8a7f9755
SSDEEP

1536:W7ZDpApYbWjIlE77ufL2e+efZwZQ/8S/80PqPIUpCUpiP6:6DWpwE7oL2e+efZwZ08i87

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	4d18444a4ba422403bd973bb406ebe90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	4d18444a4ba422403bd973bb406ebe90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d18444a4ba422403bd973bb406ebe90N.exe

C:\Users\Admin\AppData\Local\Temp\4d18444a4ba422403bd973bb406ebe90N.exe
"C:\Users\Admin\AppData\Local\Temp\4d18444a4ba422403bd973bb406ebe90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
102KB

MD5
8a910f9ef4506b0ffdbcbfef4752baed

SHA1
80fd6eec62291fb1bd4fdbb87cc94faf2622b49b

SHA256
e364d9451b8ea295ea1786ff5f2ed27a1f325c04fe86cd034bbf9d3dca76712c

SHA512
bba280f670d15a51017ec5b992a6caa05a713c16fe7dfdab675fd13cdf7f1f2b693dd0da1bc397da569c92fe7ec906708ac54fa1351d4ea8ddd9b88a718a2e42

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
201KB

MD5
42ae54a51397e54264eeadd924486c01

SHA1
640acf84a3e76c01691af00e663bc556d8172e29

SHA256
70ef89be822eac96f36b90f7f7595fdd18ba535f13b4c06c3e06c9dfcbabc24b

SHA512
d4b1526bd025e00b50e0e56c5a814ac900c5ee85d07a973e5e21626f66747fdc1c41e583caed661914e5cb901b14c6053ee4b95cb975f86febc739f443c41276

Download Submit