a5ff10847430b1b4ec0a6ceee8d2a9323780b0ca2817a95f590fd555d9fc4473

Analysis

max time kernel
106s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffada2734e21d7ab6c6dcaa9efa539a0N.exe
Size

66KB
MD5

ffada2734e21d7ab6c6dcaa9efa539a0
SHA1

99435b730b3ec64eec7257698a05376900de9a18
SHA256

a5ff10847430b1b4ec0a6ceee8d2a9323780b0ca2817a95f590fd555d9fc4473
SHA512

9d0f00076c4f1fb3333e640f112c9683de123470395290c8f05e517cbbedf860df0e9d1add7caf245b7f9c961126e620354c9911c68ff4094dca375bdd381e2f
SSDEEP

768:W7BlphA7dASbSjJJcbQbf1Oti1JGBQOOiQJhATBApwpUBT37CPKKdJJcbQbf1Oth:W7ZhA7dABJJZENTBAOUTW7JJZENTBAOr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4183) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TextWriterTraceListener.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzdb.dat.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\bci.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp	ffada2734e21d7ab6c6dcaa9efa539a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffada2734e21d7ab6c6dcaa9efa539a0N.exe

C:\Users\Admin\AppData\Local\Temp\ffada2734e21d7ab6c6dcaa9efa539a0N.exe
"C:\Users\Admin\AppData\Local\Temp\ffada2734e21d7ab6c6dcaa9efa539a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
66KB

MD5
43e31ad0b9c3061edebeeefc60c2fbe7

SHA1
e428a77f2d969855057960b0ebb48734d43cf4b4

SHA256
3b90301bc49236b39e4c8b7e183009c9a2b79ecd617d14a169dc2c9655925d24

SHA512
fad463567424638786af721f280a4a865c56ef59034ee930b29d1d9accd8fbb4eed085123e7b99c48607a0687b996370bb227bfc3744175bd6e0d01c2744cf47

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
165KB

MD5
8b59a231c3f6ecfe7c47d26378d1e379

SHA1
ad5c47fd5cb99a297dc692646123a215b9602c40

SHA256
7771139579f3d46a43af43c30a9361675a956bdaa88976f6622b02e1adb047a7

SHA512
7874beac0e4367dd457a9936da1860285ce5d7ab01da954832faff997316124a6d76217434c42e4e7ad9f90f8cf99778bab02b9f8680110a5958ccc51d5ffbb3

Download Submit