abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
Size

55KB
MD5

29d622424fa4b730b8ff41875d70d76c
SHA1

437aae37d5a8d4526cbc671b2667f2c868834151
SHA256

abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90
SHA512

b4c468a4926a427dcdc9f78524bb695de43a9d54977708ed856e8f804b4ea8231d8f464790dd1610b16407b4aeb54a94ca6a2653664d0ebf3eb61c286fc8dc9f
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBNKVkVYlIAItCCIntkntV/eazc5azccpp:W7BlpppARFbhFAxC7ntkntV/fo4ocpp

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5203) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe

C:\Users\Admin\AppData\Local\Temp\abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe
"C:\Users\Admin\AppData\Local\Temp\abcdbf29205f09254dcfe0e412e1cf586f81a79e4fe61a58dbd12d77b999ac90.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
55KB

MD5
a05b13325f5b968a422c2a0b60478875

SHA1
377e2472e067c72ad3e9c1da01c4240a841b12b9

SHA256
3fefc41a9fadc14ed74e6a81c9ada05c0fc6299badc96a3c2d5c77bf5367c11d

SHA512
99fa50d422758e9b3b9fb71c88631e7b00803a9b05d2b544ff2f47fccf5400d032c1f4115121b3b0654bcbd5c36801dc858a6f9c9ced4969a727f38fe41f7adc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
154KB

MD5
7ed8acd7be873466fb842501465c6fb0

SHA1
38f3ddb447c8df4ae6d123b8ae60929be2d92b8d

SHA256
cdadc1fa0ac485ad0a2bf54a58a3ff980754c9af226df2c42c087921c5db6e34

SHA512
ef584208156148cd52e3cf77a061c6ce043306d713a36e41938228c3d5e8ff93f185da9ef1233d45b9057094f40e0b58aa76a9d30e757132865a3322b6de5e53

Download Submit