dc7c15bb64e09ef62052899c6472d82c571ad69a6d66db0a8eeca9160ec626be

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac49a47c12c9144cf20d5e0b883afdc0N.exe
Size

88KB
MD5

ac49a47c12c9144cf20d5e0b883afdc0
SHA1

ec0b65cab201ad1c0f85d1f287320413ad84b396
SHA256

dc7c15bb64e09ef62052899c6472d82c571ad69a6d66db0a8eeca9160ec626be
SHA512

298af35868a2028af96df539e683c2f776318738d8a6e077ff4263696b0e014e026a7fdf97167c8e1b4ae5d647f735e4344b0278ab6fb715484c880b67fc94e4
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+ejy0Wjy0WzYt:6e7WpMaxeb0CYJ97lEYNR73e+eGGq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4619) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	ac49a47c12c9144cf20d5e0b883afdc0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac49a47c12c9144cf20d5e0b883afdc0N.exe

C:\Users\Admin\AppData\Local\Temp\ac49a47c12c9144cf20d5e0b883afdc0N.exe
"C:\Users\Admin\AppData\Local\Temp\ac49a47c12c9144cf20d5e0b883afdc0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
89KB

MD5
63af9370964d940f61797076d17aa21b

SHA1
f47e578b86702e4555eaadf2224004a0fd56548d

SHA256
054e0f4c04087f9bc0daaad5f699fc07a837b4d68d8558198ccf767e715c9da2

SHA512
7cd72bcde83a736c2bfe138822e41802cf0dcd1f4f76dd61aa58fc56576b44863338d18a80422409e998beb619938776eeb5403db7d8e06e7db543281e9cad33

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
187KB

MD5
af202373d439b43168e3f17449e8e933

SHA1
38c6970da961845554d187f083f495e0fc09f436

SHA256
cb4f8b6ae8ca20d325c85ca229f13e9d17acaed938ba0180cb999740cd895680

SHA512
fd7c97ed13f1c9546fad757689bf69b6b2c23259ae1703668361383f5ae6fa185384531fc2bcbabc989a183e884d74b3226524b3375b7bc0ee9c0b1c90aae302

Download Submit