0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 18:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
Size

69KB
MD5

733516ad16c738f5d9de91db90fac0a1
SHA1

eb6c043028a138f03b6019d3436cf5d18ee199b1
SHA256

0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639
SHA512

cd80be5968009819b5b8773a6ab4258771059534e8000a2905a90749e560cc882e7aa2499d0f639074f889c2213a6e9493a1884ba936ffce469e054b06146a79
SSDEEP

1536:W7ZppApwEwnmJARJAaXxXNJdkCKPuJdkCKPhAx:6pWpUnDXxXD

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5036) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfr.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicudt53_64.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONLNTCOMLIB.DLL.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe

C:\Users\Admin\AppData\Local\Temp\0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe
"C:\Users\Admin\AppData\Local\Temp\0a4ecb55ecd42ae6d1a5cab5bae11769866059ad6c3fa5eafd2c39f253c6b639.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
69KB

MD5
92fb3aa16e2c8c68981356226766e9f4

SHA1
dbce4862412d311044cf7d5d3f8f29ab075f9eff

SHA256
fa1920fe74df2b044b92fed9fabb03f7eb0da3102a853d81843ca5ee175e8129

SHA512
f1cefe3779c585f97befbc2d7307a26e4c3f18f2152ab67f1f222759164063822f610845005bdb2cace3ef3a4e0c8b606b14581423cef500def857b5107c3808

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
91709b58a08878e6d549dff2d6d1f6c2

SHA1
c80316fc9692e32a1069f40ca5adf14af62df4ea

SHA256
3f3c6a5025a1a4984efa1c7c46d42193f2e7930f9b4185b638653582747a4614

SHA512
2a7a3bb6939d348ad7e6e757d50c0d1d9e71e54acbc4e8379c536507d335d5b42308389d4dce0c7ea89c9d3a0b03825402b3c8b5eb5bf62161ec72603804a9f5

Download Submit