a0532366d69b68adc7428e5c3fdea0a36391ea5b2432b952697f7c10517c5fb6

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 00:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a9d2dd7068ecba15b50122eb5ce31390N.exe
Size

82KB
MD5

a9d2dd7068ecba15b50122eb5ce31390
SHA1

106c0b52391a2bfa2aa2c1a62b71b794f1accf5f
SHA256

a0532366d69b68adc7428e5c3fdea0a36391ea5b2432b952697f7c10517c5fb6
SHA512

f45d5be0698b4ca67110914ea6f49f5848f9ef94cfe3c954643a4521e9b66d643a756edc4f1bbc79030fad26b40e50e4557e8998bc6480b30802e235e47879ce
SSDEEP

1536:W7ZhA7pApvOsOKM4HBhaGwOQ54xEIjlET0Tf:6e7WpRaSljuT0Tf

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4537) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\tr.pak.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationFramework.resources.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	a9d2dd7068ecba15b50122eb5ce31390N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9d2dd7068ecba15b50122eb5ce31390N.exe

C:\Users\Admin\AppData\Local\Temp\a9d2dd7068ecba15b50122eb5ce31390N.exe
"C:\Users\Admin\AppData\Local\Temp\a9d2dd7068ecba15b50122eb5ce31390N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
82KB

MD5
629c24b8c561f60115503d82bbffc53e

SHA1
71ae98a8b0fcf0f99ca8efb3914664f66a2df89e

SHA256
2d187576f074fa76bfe3c3ba1183d7247e001a9a2405614d08703b55911dc90b

SHA512
fd2c363f2c168701906c4287e3890892fbc52156c0547bbd611e0f53180009d93246cf4a660e1c72a3eb215bba2c8399dc2514c4ee84601db0d1ed1644e614e4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
181KB

MD5
aa1bf2f19a3ba9fec589ae1886f02931

SHA1
44513abf777cbc91d5e154b3cdc859b6c55feb4c

SHA256
233dd6bfd63e7bec745b97d6c4c233a20ca0ab15bb2d7d847c2fd69fb5fc018a

SHA512
6c42d230c17447095def7009abfcbf432a8cc4759bb1cd157ba566695d65aa2703081b63a6c966bb8ca4de03830f156632b7f2cdae094e9aad6053ca69c40a4c

Download Submit