aa8f4a13205190926e71000ba341d84b28893760891905f1280f0de00941bd56

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfa71a1a890546d1e86ad1a12db7e1b0N.exe
Size

41KB
MD5

dfa71a1a890546d1e86ad1a12db7e1b0
SHA1

3d69ec4511f2afa8d5ac155620af2b516b3ab1dd
SHA256

aa8f4a13205190926e71000ba341d84b28893760891905f1280f0de00941bd56
SHA512

dd66b5f9ce3ee92e6ae689db518d463926a88017516d915ce94b0797ffc0b285ce6bd347c4901c370537ded0ae0f4a19c9c6f14f91366fc12cf75e620b691f4c
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LObC8p8ON4:W7ZhA7pApM21LOA1LOPN4

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (330) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\ConvertRequest.vbs.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\CompleteClear.raw.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\OmdBase.dll.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	dfa71a1a890546d1e86ad1a12db7e1b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfa71a1a890546d1e86ad1a12db7e1b0N.exe

C:\Users\Admin\AppData\Local\Temp\dfa71a1a890546d1e86ad1a12db7e1b0N.exe
"C:\Users\Admin\AppData\Local\Temp\dfa71a1a890546d1e86ad1a12db7e1b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
41KB

MD5
103767024e7a66c487f1fa38bdec8c12

SHA1
a209c4a95d357b8045d4e42980893cb3fe6636bd

SHA256
12bf6ad96cba3f711e591aaedc4446ebe1214fc0361c61a829d80a2508cf8cb8

SHA512
b9e25d9480cca55f5c83ddf1ef3efc7142d1ce00b6fdc242b0b3bbfda07db441fc3ba9454734877cb2cfe85eb4525e7ac8985cc217d8247d88f47da08d2f0464

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
50KB

MD5
f2c31a20f73e59c2ce0fa4aac89065a2

SHA1
5d118b93cf092a0b56de31b8d02bce84e5533666

SHA256
bb6c358057e6464ee45ec57acc8c65d39275b58a997bd05098919c611cd61b42

SHA512
089181f34b0dde4ac7854dcaf34d8e7f1e216a1fbb61aaabfd8937e119d577b0fe7981d2687678f89b455d2a37c7f5fd2b9f0a92da18b53bd3afa12cb1ad423b

Download Submit