af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6ef

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
Size

41KB
MD5

8b06ef437e5b23f27a979d7f02514360
SHA1

8f77e1325c94bb0cdb15485ac01b03d80ac5237c
SHA256

af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6ef
SHA512

ea02291e7059b64198215e421cf6c6eabe4e324937f6ae6edb882c31b53b567ad3078a681e50a8e9dc4ac41aee607c9e887e8f0cd1ce506b6cfd1fed90f6b935
SSDEEP

384:GBt7Br5xjLfAgA71FbhvtPcNOF8F0qOF8F0PDXxhDXxW0C2ChWu:W7BlpDpARFbhmauaLXxpXxW0C2Cd

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4554) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Common Files\System\ado\msader15.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe

C:\Users\Admin\AppData\Local\Temp\af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe
"C:\Users\Admin\AppData\Local\Temp\af7056422409dbb2535897228c68c5eb119c6916212a25c5d2d283381e23d6efN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

Filesize
41KB

MD5
3799df2ebab70cb9d6c68425e8977d1c

SHA1
f6adb2b7a248405756862789a08e445358131b24

SHA256
df1060896095a40772f9c78b1c53d02fe2462caee9aa46c9f9024af9914a368d

SHA512
7fafacab380250e7d2ac95c89a20c43ee4ba94e7bd3da21521f70e7fbb3295d812b503ff5a61bdf8c593ab4bcacc1c49f20067ec3fd1ec3bddd91bd2cc19e111

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
3b4d61f7a5b946a1460573f6456f540d

SHA1
200d84a096b652033c3efbbb97dc9a00bf0cc80a

SHA256
ca923b81823786b09a232e19c225f2dbee4f665eab1ca428aff424a6b9a3dee1

SHA512
98dd868db71fa18f4abfd519c7e78d1b698ab40d52a72f90b7ee9141d2cd2fbf857d2ba947e73aa41a014ddb3832aa19785c7bf4f8649177ecea8e62da4fa7a6

Download Submit