a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
Size

65KB
MD5

ce26d464c21b2820da7807f4287ffc60
SHA1

51bb8d50381986039cafab96b0bf7b27e8a2d483
SHA256

a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585
SHA512

5aa31da7a2b75b99890e3cf9450852cb745e228e200ba14321705ee9799739f45df9af938873391986553ae039e855050be1c71616b337f70438067b913e0daa
SSDEEP

1536:W7ZhA7pApw03vR03vcltdtSsU8Tu8Tmwzw3wLJ7eJ7J:6e7WpwYRYUtdtSsBc3wQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe

C:\Users\Admin\AppData\Local\Temp\a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe
"C:\Users\Admin\AppData\Local\Temp\a163b3f63ac133683e09d3773b56888a8812734f5a03b17f414ad0074804c585N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
65KB

MD5
61ebf5af7a80b6cff225fe5e04a0a7e1

SHA1
a45c737511dfb55f759c9ecf0e814c4f340df7a2

SHA256
b58e5e469b320eb4bfe7f36a5c630de48e029e56c01206d47bc21cbc1eac84fc

SHA512
829a9cf7d5100767b26d56c4747df518fb8a02a4a316e0720436e6b3d559bc5001b070232131b2407d27c98d8dfa5ae6071296cac2aeb79af1439aab6d8baea6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
164KB

MD5
4904fc05418b281cf08c8eacbe29546c

SHA1
d18575f0dc108f1719563c8b68612ec66dcba2b1

SHA256
f18127ee414df85246c73e5ef4857d8eafd603faa855ecc3656cb9f55b956688

SHA512
cbadcb0b1b0a7e07c6312926ffe97d62ae85b2f2d244cb27f0888833d7de54a2e3162382a4c47214b519e77eb198a1dd43809caa3f5a7bf38c7e87d469fa29f3

Download Submit