ead8be57c4955cde1559e1dd09aa44461256164bad8496203358bfeb5e4ff169

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb1e1d1244e6bc17ac709ee406eb310N.exe
Size

38KB
MD5

afb1e1d1244e6bc17ac709ee406eb310
SHA1

501657d64f890087a6d4a153d8df1281608fd7e2
SHA256

ead8be57c4955cde1559e1dd09aa44461256164bad8496203358bfeb5e4ff169
SHA512

385a0fc7bda5f10be9e93bd3582cbaa6057427aa28db947714655ce3f03426dd653d527b27d0adf68c6daf1b48ca508c3e1a9c6cf4d24ff82e18f0fbfc40165d
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNF9:W7ZppApBULcfpHLcfpyD9

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4673) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afb1e1d1244e6bc17ac709ee406eb310N.exe

C:\Users\Admin\AppData\Local\Temp\afb1e1d1244e6bc17ac709ee406eb310N.exe
"C:\Users\Admin\AppData\Local\Temp\afb1e1d1244e6bc17ac709ee406eb310N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
38KB

MD5
8b7f17dc7999383b59cbd2f562b9d392

SHA1
ca0ba36ba56d16b8c5355ec6ba87d54aa538dacf

SHA256
d3ab71b0c20600a1aad5ae827559df777c9f35c2b1e7ed8f60ae467c477b2d40

SHA512
3c5e301fdda07766b301890a8e271f87fb17f5ef4bce46f81881b7d56c2dcebb18feb815a177e7829e3674679641492c9fbb41a79ec350f0309a7c7dcc07e1a2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
4171af0822f90d7ecd380448a978ee42

SHA1
86931f43d98501fa0748485880367377e6e57c8b

SHA256
a3f9af8c6a30672b410094e6b0d061c77a17389bdc8badb71a57be554cd23da9

SHA512
3ed6b8f1cf2057b8e58879f1ec8f5b44da24c3f73c0f772fe9a5dba855047a4d67d3c49d38901959c62627a87a6cb56dcd080c42678eaa4df10e7d6ae91e3d15

Download Submit