adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
Size

56KB
MD5

6670c36334b955498fa12357941a28c0
SHA1

fc6f95c4c1ba03359906f82d52fec67afe18df8e
SHA256

adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200
SHA512

5d2321cb6533042df7413969fdea5a1dcc800857ff37903efcec4420143a76624aeea9900e219976f4bb7496529e4a85161af14de7450ff9a98a9b9d37541fc4
SSDEEP

768:W7BlpNLpARFbhblkYlkrt8PWGoPWGqMs1MsR5nd5nyQG+QGs4M:W7ZNLpApCZrt8PWGoPWGANdNyky4M

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoDev.png.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Primitives.resources.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.AeroLite.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
File created	C:\Program Files\AddInitialize.DVR.tmp	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe

C:\Users\Admin\AppData\Local\Temp\adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe
"C:\Users\Admin\AppData\Local\Temp\adde0a29f3720c6377963c9438bc23fadecaf038a4c392860be2811075e1a200N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
57KB

MD5
2f929e441e8b6bafed5d64d4053f71af

SHA1
2d1d17cefb4593de4ced44507d0abadf86d0eb2c

SHA256
1fdd7126933205ed8d8125e95da1dfe592282c303fcd4ccb76aedbb1a3da959f

SHA512
d0149f1bc7794fe9e3d46bef79fc329d0f4de17a20f1df1dc279ccbdfffe8c7a88b7b6f9cc3f4ce914398f10ebcc9ef03eb269f8060a12ea23331146c9552d81

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
c46d27b6491c3ccfda38a1b0a8983284

SHA1
1ed0066aa422ca645fcbb8296672426437a06243

SHA256
a6df23d6a81ade2a970dda4c86861e60e79e71ec24df19721f35c7e6fb797670

SHA512
9ae5aaa973a9109481a3f65a20cffd981cf5de4eed3067083113c54007e5131f34945da63172b2f2530f6a4201b9302b752eb960b137eaa585c43e41fb8a1c1d

Download Submit