953162c42ee12c2a88b39c7b0b5f25f521747064da3a1e4ab08715b483e5eadf

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2caf1aa641f69c4a9a67a2464fa80b40N.exe
Size

39KB
MD5

2caf1aa641f69c4a9a67a2464fa80b40
SHA1

dafaa7a8f8a92e7a678d4d0fb41d829e79ff94d3
SHA256

953162c42ee12c2a88b39c7b0b5f25f521747064da3a1e4ab08715b483e5eadf
SHA512

c07ab23b30ba22f8b76f50266ad4e7acbdd7d540ec14ed75f4a50025cf6d770b50e37fb7978d27c167005cff74f437bf801229bf9a4d353d8971f6d6df8eb14e
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3fqdFfoepemqdFfoepe9:W7Blp9pARFbhsbfoepelbfoepe9

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R64.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationProvider.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	2caf1aa641f69c4a9a67a2464fa80b40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2caf1aa641f69c4a9a67a2464fa80b40N.exe

C:\Users\Admin\AppData\Local\Temp\2caf1aa641f69c4a9a67a2464fa80b40N.exe
"C:\Users\Admin\AppData\Local\Temp\2caf1aa641f69c4a9a67a2464fa80b40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
39KB

MD5
5d6613ce547dbb0d96a1623ca80e5f75

SHA1
ca0a69db9a6bd89016ceccd1bbd7ea169d09a9bf

SHA256
41f82d51ec221ad85dbb289d82553693681c7bbcf92e9c854219cec415ef162a

SHA512
0c6d5eb86bda2b7e12407a13dff94dd5fbfc9ca9211323d72c70176edcfc0bf842f90b8d10ba9f22de54d98bba8de97492e47eafd4c9279d10b3fa88c16d2011

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
27b0fe4f7485ab0d144a9539c40e5b75

SHA1
67b9da42db5f9022fd2d3b4766a3b2e6ec27d2dd

SHA256
8af6e61bfa59c0d8a43c3be38519bddd0459993cb6f467b08b097d81bbda697b

SHA512
8b9fbdeb8675fdd3a3e6f90f5f33f54d5b6a0ef9cabfd48b398f4a7a54994c14d01e7384be92ac35811ad97a10ed5a55548b4527f843974942be7cb4c2722141

Download Submit