8010d9e95afb049e65057fbf43b865ac170a234d578dda8192c4d13de6239a82

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa40ec3f52a27440920939c2c75001c0N.exe
Size

49KB
MD5

aa40ec3f52a27440920939c2c75001c0
SHA1

c8a8adc2096e5dfb9a50d9d33948437baa7c9d64
SHA256

8010d9e95afb049e65057fbf43b865ac170a234d578dda8192c4d13de6239a82
SHA512

8fb97c3c7314efe4ee4e64845db487c1733bed49341da5220f3ef378972c800cc8445f7a17a58b5d389977775b6729c1d50e452cde0ba07fe7fa83f7bd33778f
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lsSwVEV7gigR:W7ZhA7pApM21LOA1LOl6vSGxR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4691) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.MemoryMappedFiles.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Input.Manipulations.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mce.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll.tmp	aa40ec3f52a27440920939c2c75001c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa40ec3f52a27440920939c2c75001c0N.exe

C:\Users\Admin\AppData\Local\Temp\aa40ec3f52a27440920939c2c75001c0N.exe
"C:\Users\Admin\AppData\Local\Temp\aa40ec3f52a27440920939c2c75001c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
49KB

MD5
9a62fcc0725717ce2a6ad027e2f8160f

SHA1
e0691232ac7dac66fa747d806e9dfd235033169d

SHA256
fa27c2590c2a495167f64e61a23290e16aa4d3f6b1ad1fc11c0b46c87673494e

SHA512
ed6fe0f302e2c00fa108d49b287d84979048baaa66e55c127fa1fc070968d280543e7ae21ce2060a7a6aadefeeb67857c393c71bc17d02fa506a417d879733bf

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
e63f7cea1ca5743a33431c7b34d8eb3f

SHA1
4bc79e7cab58c716ec2562f36539316bb2954d4b

SHA256
829a6a6441dec2f578a9adb6b827e686860fc18e50dc2e846d5beff814ee1e3b

SHA512
bc9a631c045ae01a3b3b9c48153905dc4cd3ac4ab0dc3bc70c354fa1c9dab26095acabf7000b611bb6ae184a83a2094072e5e86859ba1eecd86345fdb682225c

Download Submit