22b1dc9bc85c704f4527a25e252da266350b80a6052380e8769502f90a84aaa0

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad142dfb94b33bb911720d66ab0453e0N.exe
Size

58KB
MD5

ad142dfb94b33bb911720d66ab0453e0
SHA1

c838ffab0843211487f330b0c2aaedf24e6f7e59
SHA256

22b1dc9bc85c704f4527a25e252da266350b80a6052380e8769502f90a84aaa0
SHA512

90998c10911d34b491acb53e9adf4f195f82cd2f8d159694478b4dc47ca878a399a1deaa1fb872b00dfb33d400ceee4ce482b53952a9dab2e14b31ad7e0a3117
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw1VyjVyfxAkJhxAkJU7AiPWiPBAb:W7ZppApyVyjVyi7a

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4621) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp	ad142dfb94b33bb911720d66ab0453e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad142dfb94b33bb911720d66ab0453e0N.exe

C:\Users\Admin\AppData\Local\Temp\ad142dfb94b33bb911720d66ab0453e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ad142dfb94b33bb911720d66ab0453e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
58KB

MD5
5dfabca0dce01c3e408a477746d9b9e7

SHA1
dea58c210f7230cc37b3ee5a892520cf173796e4

SHA256
812d0aa72267e2bfb90538b3b94650d0364ab251f8266ac80ca3c4766753b597

SHA512
3d29e1ceeb208bc57d09772f544632176a7447dc118f47f8de2ecab9ab611d56c0390d256f8f6a122cf411a213093331e0a40859c47764ef08fd7684c6cbd718

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
157KB

MD5
658beee70d089ace219c3b174eacfc22

SHA1
55ff3234958a0ed91a8cdf6b98710694396d6a00

SHA256
502bfdd83007d338bcec4dcd65cb68493264c31c7201c600ad0ea32c17de5360

SHA512
89ec8c15d23eb4731e36cc8a68a76bc5d9c40b11585ff6ea8795ac193bc1514a4ba605cf6e04ecaa5921d2be543e12d548aa84afadc38e6348260d486d84fe25

Download Submit