18411ba519cbed985ca0e83e4368614c1e7189e62e59480e076a81e2eb443f5a

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7c5636edfc1bdaacf016c68c8030040N.exe
Size

46KB
MD5

a7c5636edfc1bdaacf016c68c8030040
SHA1

479d07a98eb8e1b7f7f1b0c1cb1d8876bb887d8c
SHA256

18411ba519cbed985ca0e83e4368614c1e7189e62e59480e076a81e2eb443f5a
SHA512

9a5885bc793f0965b9bcf5191b7e61ab38cfc6435b5a593b5739a45034e029c400188da7281194a5783203b2e4024cc7306621b635ec7799bc9469b792f4a798
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBN10wpAp/lvolGClvolGgFpdpllFE2lFENcjZjc:W7BlpppARFbhbt7Y7eDDESENF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4696) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	a7c5636edfc1bdaacf016c68c8030040N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7c5636edfc1bdaacf016c68c8030040N.exe

C:\Users\Admin\AppData\Local\Temp\a7c5636edfc1bdaacf016c68c8030040N.exe
"C:\Users\Admin\AppData\Local\Temp\a7c5636edfc1bdaacf016c68c8030040N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
47KB

MD5
8c452eacc84089cfb4a64cdb783a8a63

SHA1
0bc3e81e9e12434cb08069ba879df3da186a258f

SHA256
d36b9e55e0f2a385e6576625bf22f89d7e3821152ef4112ad0859569d0df2f8b

SHA512
e87330edbf56b8b83feff68137df28a3c629f0a1c1a0ef31cfaefeed0606400933f3c237622464eae38ccba33f4032091f89347e3aa7f70dfb9a51c2fc0adc1f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
a0f24d41ef55303d3925fd348a7509b5

SHA1
571889e00fe66040ec87219179d64605773e1f52

SHA256
2eaccc4e344f0a742a3c89d20e0c355daf3cd6fa39b03e81234229f394b533cd

SHA512
ac7e735db7add3bc20ab7bfaea6bbf8eae371012ab648da8637c784213f07824b031120363c05288b61eb163f8ac4fac56d8de5502569157e6ea80f8bdf0033a

Download Submit