1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
Size

52KB
MD5

ff6ff155f94130bf420199c0c7b86680
SHA1

5f4217c3dfbb55ba3dabb86d8d59393ff9f341f1
SHA256

1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040
SHA512

8f6fa69731a4459eb111c014648b0790874a1c86a662e23e09cf3ed27bccf29f4289f53f83dfd92b617bd18aaeb6b88f7cf46f85616007270fcc84114ff88a44
SSDEEP

1536:W7ZppApBULcfpHLcfpSo3fstvtPYcUYc6eMa+QeMa+U:6pWpBwchcUtvtxeMa+QeMa+U

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe

C:\Users\Admin\AppData\Local\Temp\1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe
"C:\Users\Admin\AppData\Local\Temp\1d8afe76040d5fd52b2a9932ea949a56eac0c40deeb2694737aa828bcde2f040N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

Filesize
53KB

MD5
9e84e9b1a4de12ebd22cbcda873c6aeb

SHA1
225b4eed5cbbea4d694eddfaf9d29e64617db57d

SHA256
a7a35abd9ff4262aa93267a878728628da6ca808c43df6d0a679d97dcc38aa0f

SHA512
8f136181961c12afb7e3a53cffbfd5e3e91343e5d68c2e66bc97f5f2dd8aba54d33d4f0f2190267d45aa02a680ed8113e896c7072c26519e5848db82cf2ea4c4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
151KB

MD5
8ee7cb25ca3fb3dc517981cae00ef39c

SHA1
51c1d61ae88c9911bc4938c34d0bcacc176f0158

SHA256
387283c85c4f6823b81f40bfb42b429b9cf969bfd462df09fd51c7721c5859a0

SHA512
26dad820a5f2909f081cd33628276685fcd697996f327e9c90e5f1952f0933560dfe525195d00fbeefce8d271d41737c57bf693723954f7a6f2b6864ebf7c773

Download Submit