2cd3a54a797707ebc51379983bb0e8da8ac951fb708f80ca319606df49c88c7d

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab6fc0cb87c9065206af045775f54190N.exe
Size

35KB
MD5

ab6fc0cb87c9065206af045775f54190
SHA1

dea9bf417b86ec931b949857594f2a37e00ec713
SHA256

2cd3a54a797707ebc51379983bb0e8da8ac951fb708f80ca319606df49c88c7d
SHA512

b4a1ebee232580f63d7d6c71152906fd5d92d0c1d6955b3f79ab8d80055e88fd110a4969e1c6c56265978d2fa2b44a7cca2ec76bead46227da3f83948a1ac094
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhv3KueKudLl++KKdXdO:W7BlpppARFbhjbhPKueKudLw1KNO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4670) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\LockWait.vsdm.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemDrawing.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\deployJava1.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	ab6fc0cb87c9065206af045775f54190N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab6fc0cb87c9065206af045775f54190N.exe

C:\Users\Admin\AppData\Local\Temp\ab6fc0cb87c9065206af045775f54190N.exe
"C:\Users\Admin\AppData\Local\Temp\ab6fc0cb87c9065206af045775f54190N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
35KB

MD5
3e12ed2b547b747a44f9a0fb270637ae

SHA1
13ea00acc152c77c7f0d1ef5ad9c690d4cf9bb78

SHA256
2c266bae366758aff84fb1a2dc76f398a98842cda1046d6f7813a3b18adda0be

SHA512
ba057c2feb5b5977e0030da886eedb3feedd7a3620978e4983d226aaf2d5dec190fca2f050c08cfcd8d253df9ea11d329514e070f90d36ad3b9feedf88ad4a1f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
134KB

MD5
a5caf488d3c5d67098ee4b48e9f985cb

SHA1
c0077668c0f45083e0e9e687bfc76030740f7c27

SHA256
84bfcdbc4556afbe4856711100beaaab029b006cc4bab217ea3ead6a92545e85

SHA512
e075306d53e35f7123c8ec79bff8ba593f768315297a80fceb26c889c9539aebdc8fcfa55eaf51337797e83d9ae0b6dfcab2300a01ceb95595bbe6333280e828

Download Submit