af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
Size

56KB
MD5

09f23aff2c768691890cbb5ed13544be
SHA1

9f9026e2b7ad7413d1d193a5fac330107a799c7e
SHA256

af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea
SHA512

4c4a897e75eb982111553c935c33e7f8243717e98f27a560fb34ddddc2066281f244afaafeab2d24de836c417f0effb954b42c2557b431c380e231bf1a2dffa0
SSDEEP

768:W7BlpppARFbhknrzzA8JQ2AdJCzA8JQ2AdJWX0kXX0krDzgpQZ+zzgpQZ+lb+kbM:W7ZppApkGpaI4lykyr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5030) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsFormsIntegration.resources.dll.tmp	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe

C:\Users\Admin\AppData\Local\Temp\af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe
"C:\Users\Admin\AppData\Local\Temp\af7ac8ebf2bcb4a7c1308ec48837f478e3c83b8a62b1b74b342800d5241daaea.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
56KB

MD5
2722a9efaa3ca2b3568ae7832ac0079b

SHA1
1a70151e63ce29276db6ee52b9bb49cf0fbe758c

SHA256
7aafca727d9b7069265d79425fe6d3eb71a1a9677d25701b15975034afe212a4

SHA512
aa1297f446f375ec79de93337f97781454bb6ba9f175322ca68d0176361c752f71c122aaa6eb16548f3bbc2c249a53c30833259c8fec38279734f58e622131b1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
f4ec4d77ae3b96eed49c19ded4a5ec4e

SHA1
cda04fb6395dd2cd2a67131cee2f4b578b20ec90

SHA256
b6ccc7a6c77085f3537c4e0a92cb9ee575a7f998835c446a2044cf1c63a5236d

SHA512
b6aa934b1846c777f0d6b2ce0fee093cd051a3649ceeef9a831a29a3e6b9a9931f52f1e87e54d8684e0d5103eaccebd022d91d7f56c1bec3b1104dbc36baa46c

Download Submit