21901f0d83c588057cc970a97facaa46064fc9e1070b96c34b2c217b6dc5fd58

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8dfeb891562f80ec706f1bf7f8ace10N.exe
Size

47KB
MD5

a8dfeb891562f80ec706f1bf7f8ace10
SHA1

dca2ef44fad2559bd0b218947f4d8c1b06ffbbac
SHA256

21901f0d83c588057cc970a97facaa46064fc9e1070b96c34b2c217b6dc5fd58
SHA512

d66ac98c654e448e1310024dee4abd23b818d8a0422242cdbae8732aeb0657f63c1e90b9efc4748f219d2eb48b8bfdf42f70c5a313a06080ae8977436fe2d128
SSDEEP

768:W7BlphA7pARFbhL801VvM801Vvv7+j9nT:W7ZhA7pApw03vR03vwnT

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4617) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	a8dfeb891562f80ec706f1bf7f8ace10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8dfeb891562f80ec706f1bf7f8ace10N.exe

C:\Users\Admin\AppData\Local\Temp\a8dfeb891562f80ec706f1bf7f8ace10N.exe
"C:\Users\Admin\AppData\Local\Temp\a8dfeb891562f80ec706f1bf7f8ace10N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
48KB

MD5
66a89a709b5565e4ec8acdb0e9410082

SHA1
524f71f1b06b12c7dbf0cf6db3eb1e140ad96199

SHA256
8ee0e8869646ce0cce0e0a9673976b94281ac2ba619314ea24a30067af483fce

SHA512
adbd3a7b99bd01ca99b081078ba25ade24437791d68e8ab10f596aced56d8a3bd7ee0c2a89659a32e46f666357bcfedf602bfa48beec73fea90bbce2bba24c2c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
232bcc9efda2bfe994a2de8f1fe5ac87

SHA1
be03256d2c240412daa12b4b1ceb2a7b61f4824e

SHA256
2fe06f0a7f413ceeca045c19a377064f038e096ccdcfdb886dc7572dcbf19c91

SHA512
e0797d80af03c99364f68990ae33d2f6ca50aa3ba2a134aeb2866cbc72d1098110adaad345074d2c03ecfc0da0b9b72de85079312222ad96673769181ee98874

Download Submit