f05da185d3f481a1d52a9cfed2fe4159b9f34b0f2e0d790a60b7be261ad0cb12

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3a530839ef8703daa8077e70636e690N.exe
Size

42KB
MD5

a3a530839ef8703daa8077e70636e690
SHA1

556ac8a526c46002e5f227907cb30e8e1d865dfd
SHA256

f05da185d3f481a1d52a9cfed2fe4159b9f34b0f2e0d790a60b7be261ad0cb12
SHA512

860d7330eebb549c91cd523b4fa89a1ec473ef9010872140d2e4a99cd3d01c96656c1b9bc8340eca847f045f256de5f550f2e6190456068ea5373268bd776f1d
SSDEEP

768:/7BlpQpARFbhefnj0Tjfnj0TPuqKDKrvPf:/7ZQpApouSvH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4677) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Java\jdk-1.8\jmc.txt.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationFramework.resources.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Controls.Ribbon.resources.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	a3a530839ef8703daa8077e70636e690N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	a3a530839ef8703daa8077e70636e690N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3a530839ef8703daa8077e70636e690N.exe

C:\Users\Admin\AppData\Local\Temp\a3a530839ef8703daa8077e70636e690N.exe
"C:\Users\Admin\AppData\Local\Temp\a3a530839ef8703daa8077e70636e690N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
43KB

MD5
e5a6c1b5a3ff99f35e62aab87da8bda8

SHA1
877412a640c72b8281c9cd3d714fe2cb6ee42444

SHA256
c407c81590029c968e904d80669a14712ac98478a93fddfe46207178b188e695

SHA512
2b0b52201381cb2c3f10e64f5dde6103c53b93cb1007851cc1afcb59cfb2d152b5724f50d6e928a61d8088912409b103689bc29f8a717fbbc83c22db9692c9bb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
5633da0e5b1547096a221d7adb995338

SHA1
8ed437cc9b73377d82653499f1e63774a2c382a0

SHA256
389053bddb7a1b638a7ebab7d192be587ee8a4a03cccf6756b28be28b549ec7d

SHA512
baa78a756afbe5fd1ce2e23de67c38b335f6cc01f80f3b11a7b85d6297020fdbcc8d512ccaef4925ab50796c8ff2ecc57071ff649719399d8c25781b3b13629d

Download Submit
memory/4792-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4792-1012-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download