a7950e4c428e79550dbf6a3d5dd20a56466b215f3ce2744e6d122b38267e054d

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a57c12a8c104f631a0a8da85301da360N.exe
Size

47KB
MD5

a57c12a8c104f631a0a8da85301da360
SHA1

ecb9cf3efe43dd0f11c51bfc52239ddf7a6cd91e
SHA256

a7950e4c428e79550dbf6a3d5dd20a56466b215f3ce2744e6d122b38267e054d
SHA512

e4c4bfb4ea5892f60892fcc13ff02fcfecb47942960be6f563504d6b5fc55cae341c3bb86e97c341c2bce2ea1ff0a1abb118a77078149b424d2b637638c19ef9
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LObC8p8b+L33EskmKsL33EskmKsZ:W7ZhA7pApM21LOA1LOofmKXfmKi

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	a57c12a8c104f631a0a8da85301da360N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	a57c12a8c104f631a0a8da85301da360N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a57c12a8c104f631a0a8da85301da360N.exe

C:\Users\Admin\AppData\Local\Temp\a57c12a8c104f631a0a8da85301da360N.exe
"C:\Users\Admin\AppData\Local\Temp\a57c12a8c104f631a0a8da85301da360N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
47KB

MD5
f96b45bc71e301a7ca5ea09c7376d7c9

SHA1
ef069910530e17bf840801debff4406061875312

SHA256
118ef0987863d55fc015d639a0c10e49211b09160edfc9ded39e21662394c58a

SHA512
e9a90271e669d47533bd452213c6460252bc2c6c6352d53895511aedeebdb68783ed9853b6967f66ef0daf158afc6d24b4ab38a6ba94088dafc5dfcf338b79ca

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
6519b4ec792ad75b81b288f614b0d110

SHA1
10eddb1899d92f5312096e119ccac88fa2a2c5d0

SHA256
626b8659f89576f1f724843f8bd6d454927679c7208b4a64e28246ba464c0c27

SHA512
deada176a6d20f219a9f8ca2176210e82e05cc9e746cd1810493a241001ae26dc674d05f79941ccf921ab22a75b68b1d9685f6423928f720f44402a297e7951a

Download Submit