8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
Size

46KB
MD5

2a4a3a7f530d8413ec2bd03152a081de
SHA1

fb97cda30fe2bf40f40399ff6623bf13d0b76267
SHA256

8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf
SHA512

f21d05608ada0b7a3935496f041e636b01b069a9f8b726b16934630b555fe453907fa184f2ef6d465f439bdf103c78bab3621b0ce36602a9bb3abdad3f135cc4
SSDEEP

768:W7Blp+pARFbhBgnKLMWK9WKD2N2LSarSaD:W7Z+pAp2nKLRKIKqoLSarSaD

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4866) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrfralm.dat.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\ConnectUse.bmp.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEIMP.DLL.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONPPTAddin.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe

C:\Users\Admin\AppData\Local\Temp\8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe
"C:\Users\Admin\AppData\Local\Temp\8a95ffab108b2729442bccd26f0069d36c5eccac09b50dd61bb2a678c6bea6cf.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
46KB

MD5
af8146283df494903c89be728065ee6b

SHA1
3f2080d6a9a38ba7bf61f4529b3216101a2e1c8c

SHA256
4590d4ddf9cd3723387fb44ae6801b50c5e177bc5872eea1ec28005848663ec3

SHA512
576cb993e443dc7130473b99adc1666eedafc97570e693e0d4a1eb9f5385e652d0b613f0d52c0c3f1e73f14ed88478402f4ac778f854058c4647e03c7eca76f1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
8ecb1281aff9bc2da19789b121121211

SHA1
45e44df161550ed444b8fc7da21208272ba9129b

SHA256
57daed273400f0ff1b624bce233cb9fb9ed378d5b400aea433a31dfc6ff3ba64

SHA512
653cf9278f4ce417c58951012924db7d363385ba4641d17f2658a58314a58a268976f266063f0c827205de4bb0cf525c7c32223f6dce290cd87da1ed01b59490

Download Submit