9e1fdd19e82803662c9c166f01d5dc2a0ccd464aafde12316bc8921ea23c2bd9

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dabf11d4feaaad7864a85cfb54d6c250N.exe
Size

43KB
MD5

dabf11d4feaaad7864a85cfb54d6c250
SHA1

b40ccc4a1b7a460608ff0a15d210aef3e877ad91
SHA256

9e1fdd19e82803662c9c166f01d5dc2a0ccd464aafde12316bc8921ea23c2bd9
SHA512

a588a3962b234a039e70ca90fd6f4c1a68395e0d1f27268395ae0df2b89b084d9e8396c4a3e1b35ddf30b1ea14670e028eac1d684781ea9dc45257bd28104917
SSDEEP

768:W7Blp2sspARFbh5YSfff9n1oXKCqzEIn1oXKCqzEM86:W7Z2sspAp5YSfffF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4670) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	dabf11d4feaaad7864a85cfb54d6c250N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dabf11d4feaaad7864a85cfb54d6c250N.exe

C:\Users\Admin\AppData\Local\Temp\dabf11d4feaaad7864a85cfb54d6c250N.exe
"C:\Users\Admin\AppData\Local\Temp\dabf11d4feaaad7864a85cfb54d6c250N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
43KB

MD5
92007c441e9da5bdc50c1df23632a71d

SHA1
ad708f6c660b044c0a64b0350daca8860d3e2be6

SHA256
fffdd9e9b11ea020785e056254d7035d67dcfa37693f056a9c68005599d50b41

SHA512
9761c6a532b6e7e9d2977984d587513eb88673e2e9b06fdd36b879c88f5a0a19ce33078849f2663d0ebde8c705412cdf14627c0c319c99ee35740149c96c18e5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
c11d222b335fce3ee103b0c56d83778e

SHA1
9b602262558da20897ce7a70b59f6a056d65bb84

SHA256
4506d41b60a76e367a6fe7105b3c17a6da96424fdc1336a3eb598526e6e4c518

SHA512
9e95230d8e47a31feced949148be9d25f265eb21fb83ce25b617870a9b0de0751a910d81871fe6b3b29afb97edc96cb7576728af66c04d489e84ce71344240f5

Download Submit