7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
Size

48KB
MD5

f1576d399486c7c07394aa985b0e7200
SHA1

20a6c57cd71b71e28c917a95786142c81947208e
SHA256

7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8
SHA512

cee099de9c8321a87f302b7c7b7dc21eb2b865ad12ec8ddfcfafd5837256b2b95a723a5c69dc01a0b35014588e52ed46666d4520ce097eb04745fdbb433cd5e0
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw1VyjVy/3sY1YE:W7ZppApyVyjVy9

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5209) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationProvider.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jdk-1.8\README.html.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OARTODF.DLL.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.bundle.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe

C:\Users\Admin\AppData\Local\Temp\7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe
"C:\Users\Admin\AppData\Local\Temp\7aad4b55b326b5d3546cf5e3d8dae72306656ae67a51a0963632a76060a886b8N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
49KB

MD5
230f448782e0338d8ec3ff6d278b5ca2

SHA1
c0de5856afa5b5b0c2af1c7fc811a2a4bda2ff7a

SHA256
b2ade1fff010c8c0434d4ab6da5d35c223658205649fb590a981d04e9bef38e1

SHA512
90de081c1e43d288593ea7065967d8efe4a5ba1fbe352a6e4d630ec1703c64e61d06b293729a0829373d24be49bea0b3f8131f40dc211bbfd1485011a87753fb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
dbec23cf4fdc2c2288009e6f8d48bd47

SHA1
71217aa15bd62f7dc78c790f48a6364c9e4e1293

SHA256
38d483d8525b674a8c0ce1bf6addb808c68bcceaf8b8fe629e1577a0bf729743

SHA512
7ad61d7b8ffb1f7669a9e5b44f55ca04f31b3c6ba9eaa313ed67f71ccf3648b7d55112465358e5220c2440a8ba2e188d17bc431ca58ae18eb65266b606f24c62

Download Submit