8b9dff32ba6050cff609e650b09f004d7da9072cb262784d6338042ca1f3561e

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1fa272ab36213498b1ea78bdfe94b30N.exe
Size

70KB
MD5

a1fa272ab36213498b1ea78bdfe94b30
SHA1

c47de66efb087b327d9fcb6ad2846448cc69d48a
SHA256

8b9dff32ba6050cff609e650b09f004d7da9072cb262784d6338042ca1f3561e
SHA512

8b18219486dca45e71ef3db314db73aadbd4136571735e5050303f88e05ddeb659f74301c8e12374367ed70546ed94114166cadeff596fb8c8d008103f29ba6f
SSDEEP

768:W7Blp+pARFbhtlmlQ3y3RWvf+wi1x9f+wi1xBTCcX8vgCcX8vSd5hdx8gl0:W7Z+pApfGQ3y3RWvfmRfm9sKsSd5a

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4636) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1fa272ab36213498b1ea78bdfe94b30N.exe

C:\Users\Admin\AppData\Local\Temp\a1fa272ab36213498b1ea78bdfe94b30N.exe
"C:\Users\Admin\AppData\Local\Temp\a1fa272ab36213498b1ea78bdfe94b30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
70KB

MD5
89fb6ef91b1edd89ae54b15abd344c12

SHA1
e10648233edc741d29c55056c2cd9a072db51630

SHA256
1f85aa50cba5ac584dfb4f0c59ba0e545badd14f5a3c9907442e3e83607abd5b

SHA512
604a87860a556323e150c52d0ad1b8b008b63ca55de49a7fbfcaf7ad78f1ad5bdaf10ee2babb9fe91a40a7299f11f90e036485fcbd10f613fc122575301ade3d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
169KB

MD5
9fb57e32483bf1b9f73e03b29e72b12c

SHA1
fff601bb185615db2aaf761f2882d37a02adad79

SHA256
7be0deee0d7b68dfcc5c9ffca95e06e719894de13d74a607984dce99c3fef82c

SHA512
8e13a99281401c9179c32ede2cbe3f8e0851b620e7b71b13d58341d1f5a9cfd87318db836399ddb702fee4ab7d837b0dab825bdae3fc4c3ee56d661e0ae968b2

Download Submit