02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46ae

Analysis

max time kernel
63s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
Size

50KB
MD5

9a2ab7a090398ec709cc2404006ac140
SHA1

273b71c5afe275198a8e32fcc470ee7cfa11e12e
SHA256

02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46ae
SHA512

3ea8aa180a60300e7b2019755816d56a99d6ca5fb20c47f2aa676e1bbaef20cf634ed4677d9f806ce249d7c4f688020da91e678149b9d76cd467692b128318e1
SSDEEP

768:W7Blp+pARFbhBgnKLMWK9WKD2N2LSarSaxLeoVERZLeoVERM:W7Z+pAp2nKLRKIKqoLSarSaeWM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1837) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pl.pak.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.IsolatedStorage.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrfralm.dat.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationFramework.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.SecureString.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe

C:\Users\Admin\AppData\Local\Temp\02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe
"C:\Users\Admin\AppData\Local\Temp\02ac6e0297db89722f6ff582359464039b834da460844cfc51390b0aed6b46aeN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

Filesize
51KB

MD5
3cee10fdfd647b8f2540347782ee9289

SHA1
e1fba3073b0aff2caffb8b89f6e3b72b2f132eed

SHA256
5761981bf0f0dc9ed0ccec998124e73e13f421518c9cb07f5f16089d3038c7ba

SHA512
73e8112c1b42ff43bee1c49742bddfe6a3daa6246538ae342b8f07429c05d3a73961d4450904f3f1514b03deb9d578a4d0eb2af6469b136628eb0ff21c15bac2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
da4bbb5ad6439b2e4930346f190942ff

SHA1
a800a92dd3df10965b05840ccca838318d60c597

SHA256
6b554f1a6591ff8cc48bb20158cc13e6cff0a51277ef9b81c6fde6ed456583b3

SHA512
94730167c2badf6ec5af4e4d974ca4bbf1647e1762edae4a62a50374db454568ab86c38536fac572344c7a0f3e6253816c9dc338c225064cf4173b2e7c19827c

Download Submit