51e1323111ad6c92f6aff17f39b376c0ef9df5888c99f39f8eea26bf601e91a0

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
Size

36KB
MD5

ae2c71a44e5d67d35ca1045b5bc2b9e0
SHA1

f017b0ab1ebe772c981c05f80a18aa9c739f9b6e
SHA256

51e1323111ad6c92f6aff17f39b376c0ef9df5888c99f39f8eea26bf601e91a0
SHA512

609de5cfd334225f56d656331b56feb133a1b6b9e576f137dbea0d9d7ab15862a42c80ec80f19f4165109145fa21a84d0dcd88fcaf7f94c617c70c519911a2c8
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxje6OMmy6OMmI0:yBs7Br5xjL8AgA71Fbhv/Fzzwz+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4657) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationFramework.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe

C:\Users\Admin\AppData\Local\Temp\ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ae2c71a44e5d67d35ca1045b5bc2b9e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
37KB

MD5
c9b9bf8543a1836b214132315e49e2f3

SHA1
8e9ce27a77cdfbf4c17a4f766abfdeaf18499d66

SHA256
ce1ad8dc0e0cf8032e591b33db27581efd5a972b3492833fca0eaf57a32519ff

SHA512
7f165d4976cd8043137cd99cc41224565e34d378fc263fdd36281fd4e4e82ca4404b6bb9bac32c2cea9ab118ed32bbd3a070fd806008070895450cd73e4f3996

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
136KB

MD5
ea6871d75cb21f8cc38edc067e544982

SHA1
1c3d69b0bce5b2cf7e455758c39088c7073234f7

SHA256
b0fece70e0b07537f5b5ca06d42aa3e126f07c285c93e0b70e0c838d9c610cd2

SHA512
827976e053dc1fc044513e5956c498e3cb5d189379b16cc87997796dc428032078569612be53d9993b952e4b5033f20af9e7e8140bb16fdcc51e66c45a20b4e2

Download Submit
memory/1644-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1644-926-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download