a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919

Analysis

max time kernel
119s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
Size

53KB
MD5

5fcb6ca2d03198c904e0f998ecab5700
SHA1

de3ce9601d1e2be0b2cb3a8a6fdc6570014ed6b6
SHA256

a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919
SHA512

a2789c43965ae0b3752dc4dc51bba55915c6a8f51d2c3e3f292458c94f0a09a22d6dc5e9dae1217a657fbb83878a0c4eba653d21614457c54ac0b5524bb34150
SSDEEP

768:W7BlphA7dASbSjJJcbQbf1Oti1JGBQOOiQJhATNyIHAJvHAJLMF/XqsGDGEEXBwX:W7ZhA7dABJJZENTNy3m

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4660) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationTypes.resources.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\GroupOptimize.vssx.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe

C:\Users\Admin\AppData\Local\Temp\a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe
"C:\Users\Admin\AppData\Local\Temp\a5b6139ff63b1a14761e4c40ba5821adc51d32284e7861b46780af8dcbaf0919N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
54KB

MD5
aad324f8aaef8dd13bec60445a2ad735

SHA1
fb74459f70192b816ff887eb0c4536eb5890bd0e

SHA256
aebaa2f098927517cb369e4a3b240072dbf1f3f2d8efc8b569ad30bb23eab6c2

SHA512
9f85f18c20e4d589df22912d7c8933603f5da09f5fc9c2f37cba36722af0aaa17e5361b55e78fa54bee4baba704d88f75ff980678cfff0151a0a25f04fab4702

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
11d2857025c38038eeb28935278ea434

SHA1
0c0791b4064e5f04e8d315ccd368b79d512edb2b

SHA256
fc549d8b7ad2f1583091097bf672842569763de87f9a1584689f472fc2dbbe72

SHA512
e2f504b5b06b5c7f6b1d8514b7a679e76fed93822a84c0a49384a826fe8c5bede2cadacbff1688b13de707ef5720af6e17ecc81238ee22513b72134bfd3e08ee

Download Submit