67b3a2c099b25ae4064e3cb0e39bb9594b64a933b47aa1bb40d6cbb43ac7996f

Analysis

max time kernel
120s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ac1f3620c788f66016af1e3b379110N.exe
Size

37KB
MD5

d0ac1f3620c788f66016af1e3b379110
SHA1

7003dd9fc3664d5a767e1a9e6444a6e47aae9930
SHA256

67b3a2c099b25ae4064e3cb0e39bb9594b64a933b47aa1bb40d6cbb43ac7996f
SHA512

f303e3d80f246d341c6b563282e27c2e265e74ac347a8eecb31977d0e7c2881e60ecab077122541fae744ffba1e8cffbc55bd9d667f537177285f09764ad1e8e
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhv3KueKudLl++KZ5:W7BlpppARFbhjbhPKueKudLw17

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4693) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ppd.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\AddJoin.zip.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	d0ac1f3620c788f66016af1e3b379110N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	d0ac1f3620c788f66016af1e3b379110N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0ac1f3620c788f66016af1e3b379110N.exe

C:\Users\Admin\AppData\Local\Temp\d0ac1f3620c788f66016af1e3b379110N.exe
"C:\Users\Admin\AppData\Local\Temp\d0ac1f3620c788f66016af1e3b379110N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
37KB

MD5
b99f98038d6e20ddb6ed69895d44c19e

SHA1
19108d6c027bbbc67717f9ded0eca590b7f0a917

SHA256
d43cec5480959dcadade77fdded79db9fa8dc0a4b8d5aea2f50366a9384a4c61

SHA512
246062951c3cd83e8720102443bd2bc3c167f95f11f441fa17da2a91ed1ede8546806e6e6fb346b679841a8e800d5967bf21a71821612c622351975ea46ac5de

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
136KB

MD5
9fd0bf149b1ef94331ec0445c8b75770

SHA1
3483b6546ab0981c5fffbf7706422b8e6b4e11cf

SHA256
b91f4e9b5dee6426cbaf21fb08cc25034d1fd1fca341fb1f15e582c9d658c63b

SHA512
ed80bcb715cdc56b120a74e790c9145544f16b855740248e9a011fa9997af3b11541189601e507c14565ca42725818bf0b8e3aadc38879b54e83fa1fbae2b185

Download Submit