4c982b23679a7c6a3e25ebb5bec66ea84c680180643f724b6245a7ade96111b8

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88aca0a893eb3a397efd9624a0b1b160N.exe
Size

190KB
MD5

88aca0a893eb3a397efd9624a0b1b160
SHA1

ae109ece23d97d5461f4aa30354fbb0df4a9b1dd
SHA256

4c982b23679a7c6a3e25ebb5bec66ea84c680180643f724b6245a7ade96111b8
SHA512

ee2e5ac0ed16be1df93cd915c52498114e0e91893dee9fb18fb8f4c6d08bd72d152fd71906e9b4b9f79dbc98ec4d38aa402af894e400fbd9549177a9407648c5
SSDEEP

3072:6e7WpMNca3rytOkWpXfnYRl2l/9HSFHzJ0lBgnW59XGww:RqKB+tOkWKR0iJ0MnW5Eww

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4156) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Crashpad\metadata.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	88aca0a893eb3a397efd9624a0b1b160N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88aca0a893eb3a397efd9624a0b1b160N.exe

C:\Users\Admin\AppData\Local\Temp\88aca0a893eb3a397efd9624a0b1b160N.exe
"C:\Users\Admin\AppData\Local\Temp\88aca0a893eb3a397efd9624a0b1b160N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
190KB

MD5
d6979b934d12ff745a47832493137edd

SHA1
e9813ec0c5558014ffc02e12b67eb524199f2360

SHA256
6381e73706aab5fa4ee278456cc7a20910970ec68eed86358062a1a635c2dd01

SHA512
fa64008d29a38f8e3b3eb3429aa7fd288e552401d401f9a5367ca4862af86e4137aaf4f08287d8e61178ed9ee746e14cfcaede296db565a03978dbfe6fcc9f05

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
289KB

MD5
61073e25f102e7f03c8829dc52cc5cf8

SHA1
1c61066033c5c91f8aeacad36cf89a31148f4834

SHA256
e23ec442ab490e729e14b4751a98086246098a2b7a06dd7a9807d64b4ed44da3

SHA512
27b62114e445bb35ed4f4ec45927746d39c60006f90852aa9dce2ff57814b9fc376f4b2253acd6a097e5db9f5527df380dadd19957ad1d37d4ca11c1121d8aaf

Download Submit