a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
Size

38KB
MD5

f332fcfa34e41aa67db9be66d39e7dc0
SHA1

d51f15be5e39f419516717c53314105b30ea6ecc
SHA256

a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39
SHA512

55ffe60370e3d189b0c3cd76025ae4739ea85c1a2e203051245e8d48964a936a6cb5df82ce261525ef07dfe3b3c78e74af07e2a249d8c6b0129c28b55562bbf5
SSDEEP

384:yBs7Br5xjL8AgA71FbhvsIzaApAyJO3ApAyJOGiKp4:/7BlpQpARFbhxztpAyJ5pAyJZp4

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4672) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe

C:\Users\Admin\AppData\Local\Temp\a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe
"C:\Users\Admin\AppData\Local\Temp\a77662d7795eb03658693f72f770c701d60e0ac69309fb1e6be497df57de7e39N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
39KB

MD5
d34e166c93d434209487c75d784ae39f

SHA1
bcd21b30853bf7746dc441cff67257e12d61bfcc

SHA256
ea24dc464fd92003fa0479b8ddf536bfc06d227b01ddc499ebfc7ef52d50c953

SHA512
f4646bb318525d2bb47e5fb4c43484ad9af65097b8923ce6b2d11ea89b86db77773b9f9f753baa8aa259a15cbc459484327aed27ac4559982d6f337336c27f7b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
1ab6d6757ef10a518e929cfa734cb2da

SHA1
411f59852bcfe8e10384050e8080356d914d2b67

SHA256
8ea5c447ccef08119276501d8435c14385f582be970ee9d7b3d95d06cd1caaa4

SHA512
989fd00c32871308fa9375362241fba4acbd102e1f19768faf4070a56a0dadce920a44d19166febafad6b0c7565800660ed6feb8ac7aa7fd0625d89e5f173675

Download Submit
memory/1036-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1036-940-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download