a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bd

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
Size

48KB
MD5

6360f7f944daae7ea0b2f7e9f5c1fb80
SHA1

2183f86ad1fe46428e76a1c2b52de5039c743d4a
SHA256

a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bd
SHA512

966f37a9c5804b70d78268b63cba355b236838a85757106551440c8954f27180d2fb5abd5764838c166a91060d40147710e0aa40cfe94cc779568efa93b167fb
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LORWAnWAkpUE5c5gSCFJFK:W7ZhA7pApM21LOA1LOrtkpt6af4

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe

C:\Users\Admin\AppData\Local\Temp\a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe
"C:\Users\Admin\AppData\Local\Temp\a43690b827c347e3c78257759faae8317a0c27992d5cea7d8d9bb255f64e04bdN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
48KB

MD5
5d0726098e22804f487666f7c524c58d

SHA1
f3f7305596facb525959f69c2313f72322cc05a0

SHA256
7297801c60cebe81d04ae68b13cba82e31af106dbeeb38eebe2ed1dfc9b76fd2

SHA512
31b505cc9f9ff4cf15c74e108639b271773365456b76306c1082682923ff63f04b854f4397646721b8b66069bf9e9364de291b95ba616b73f58f0d963e577022

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
fb4b4bc98aee1a90962376cb09bfcc6f

SHA1
4265d338c473d227a39b364e1ca39fd845fef704

SHA256
879464df483a070630b9ea3ef5d81abc36c493b71263ee266724baa0fd95c379

SHA512
5e32983ddcf3869b7d79366557c5d7c77d04fbd1999744dd14f28603d243a6a6cb3c55ef0b691c70f50a5a758428e37fd9ab54ec5ab8ffb5a3e17c5ebd7595cb

Download Submit