a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
Size

40KB
MD5

8250288b5fb7d0e390aa6a40dfd86452
SHA1

89e0ca56c8f4f0f595e4bf906d3c898d2f4e0019
SHA256

a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c
SHA512

555a3a2dd71a4602904b2c9f5a52ace3e70a9d33868eeab36284624225a92f316adf6209a43af2267981311d3b00414a0fcb003e498347d83bbf13c182585e7e
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLP:W7ZppApBULcfpHLcfpyDY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5266) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fil.pak.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Java\jre-1.8\lib\currency.data.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\PRISTINA.TTF.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.JavaScript.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe

C:\Users\Admin\AppData\Local\Temp\a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe
"C:\Users\Admin\AppData\Local\Temp\a603c9078e7f08fd0d82a76dba7b0d29c70fcf089488849616a04b756da6287c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
40KB

MD5
0d99aa8a436dbf890c5990a7b3c48f64

SHA1
61f2ca09e8581b7b9e9bf1ab505a8fb587006cd1

SHA256
0fffa81adf16518d33ebdb515eda793acf64028c5b7e4ee0695d79f66217fe42

SHA512
bc162c2bad8560d569905fac148aa498eed728731ce11eb572fd9f3209afeacf63fa148f3ccac855a46496275c4facfe9871280b62944b9101e82796e7870a69

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
f26a256e35e83087feec6f654d24012b

SHA1
2835ba546bee5fed3603da2788ebb0538258cf31

SHA256
7b7870dabac79b6686c855fd99f38f658d7f4f2b7ad0f67077454ea9a1e86dab

SHA512
c37ed9d88c504919013907c548e313f1399781d92034aeac7ece2bf527fcc0a84539161181e58bec1799928c25a1fed7149e8d36f0c3e3bae206afadf3975c39

Download Submit