af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5a

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
Size

49KB
MD5

ab572ffe99c1e8d7613e4c0b570d8750
SHA1

1deb1ba29ba5a2fce01d40e2060d638cde8eb747
SHA256

af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5a
SHA512

4a0c6e993760ce62c9c7b5486bec1c5ba884d9123f47d2a43412334fdabaa1aba0194debf84f0453feeef6c109489bb649533dcd678d970ad136467f4c699024
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLUty6J2CzxJ2Czf:W7ZppApBULcfpHLcfpyD3tHRz

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\cs.pak.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\msipc.dll.mui.tmp	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe

C:\Users\Admin\AppData\Local\Temp\af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe
"C:\Users\Admin\AppData\Local\Temp\af9e134cb333d7f9ec10eb6840d3e9701c9a462d6e81b2897732c5881064fd5aN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
49KB

MD5
7eeec7a33817a4138dcd393aa03e6067

SHA1
18936b574f238a52e00d5524b1caed4b7026b938

SHA256
1e04bf0ee7c1549bde0c111e17ed5ef6c7c99732eba7c213ed5e5da57465e1c1

SHA512
e4e390f02bf4827a2ac981fb273b20ae1f51d07bd72898116be74436bad8d8da56f5c40d1413caabb2723f84a0527c8f8c6b34068592c847b175e00b88737085

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
1641551c9074c85a2a18e266e314f579

SHA1
e752de17cad99927f0d75a5ce5a4b2fce4e76c03

SHA256
844bba847515013533588f029c81a20423b8b79fdd6de11369dede048288d71b

SHA512
c32d43482e861c35f6666324599dddc914a22d6d137f214035030dfb2957167a50a47a87ab0febc59855f9912b647e5433d319f33cd487c896689d0b5aa43179

Download Submit