bb4d3122949f0de622d3d8cbc4fabd7c16c92f6a32fcd69e709117449f781668

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
Size

77KB
MD5

a0a7b0c37e61e7b9a63b4fa2bc091820
SHA1

703c16cc97564c898b9b0fceaa96dfee4dc3b711
SHA256

bb4d3122949f0de622d3d8cbc4fabd7c16c92f6a32fcd69e709117449f781668
SHA512

3d914ef362f3c771eb8b93e4c7121107e6acd7b8ab0a409b0817aa065bfb081672583412a0c620e8a864c09b3601e94a09541cbc205ecc382049822539ec6fa1
SSDEEP

1536:p7ZhA7dAp1++PJHJXA/OsIZfzc3/Q8Ue+bCeh:Te76WQSotbCeh

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\DismountRepair.ps1.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\msipc.dll.mui.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0a7b0c37e61e7b9a63b4fa2bc091820N.exe

C:\Users\Admin\AppData\Local\Temp\a0a7b0c37e61e7b9a63b4fa2bc091820N.exe
"C:\Users\Admin\AppData\Local\Temp\a0a7b0c37e61e7b9a63b4fa2bc091820N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
77KB

MD5
7a84fe866ba1ec5ce11c09ebe5af61c0

SHA1
e2e3005aa58d80e85f6e93edcfab02d825a01429

SHA256
becc734b7c01dd2eec74d41ca59d2b4caeb54c11429e58ad8ab744d74aac2394

SHA512
cd5ad22c5ba11f55036925290bbd1479f1af746f86d368649243c741abc8907ba6af74634a49baa6301116c3f25209f474bea6c1e4c298dad71945a7189f38d0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
176KB

MD5
7c7a1e4bf8ed4eda3611fe2a8e33c6c6

SHA1
b7ecbc71165daede158940650db0073f8b302d1b

SHA256
8e471c807673656121096240429a874b99c671d52fe5a7049870f71d108acc6e

SHA512
d7d2e47f1f6ce96df0f860aa4c3c7698e976e0cae52a4c41a858c48273715f693eac2f4bbf207c4cdff852c2a3bc74ebff4f899423c4ba5586d5c8c127856bd2

Download Submit