Analysis Overview
SHA256
aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66
Threat Level: Known bad
The file aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe was found to be: Known bad.
Malicious Activity Summary
Renames multiple (292) files with added filename extension
Renames multiple (189) files with added filename extension
Drops desktop.ini file(s)
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:27
Reported
2024-10-18 02:30
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Renames multiple (292) files with added filename extension
Drops desktop.ini file(s)
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe
"C:\Users\Admin\AppData\Local\Temp\aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe"
Network
Files
memory/1972-0-0x000000007428E000-0x000000007428F000-memory.dmp
memory/1972-1-0x0000000000BE0000-0x0000000000BEA000-memory.dmp
C:\README.txt
| MD5 | e5947abbf99045df634eede07180fa46 |
| SHA1 | b3506e3118715199707ac9a62557fcb4512719ac |
| SHA256 | 98611e811a96098298daa934d52960ce9f716a36ae3fdfc316b2b75ae2b54830 |
| SHA512 | e8fe24857094c4f07dfd584120be204f41cf057e3cf3bd5ade2c5f7cc88bfaddba0f4d5d26a6d2e201894a0c284ba64393f68216556f48a4014a98be90b9a49c |
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
| MD5 | b98059b4d884f2df2b320a5a105834bb |
| SHA1 | 5d65f1a7fd7d39c46c78efd645f5ce60cdd02124 |
| SHA256 | 5aaaaa39919a6ecfa8c95a73693cd2324fd96fc41010e703e5e582e3566ff75e |
| SHA512 | 9034018bd82942d39fdeaf6e7e107ef7cda2a7420ab5175bf0f8d35b7f5943d7508ee4ece0bb08fbc03d72dfebccf7a186634dd11bca8ceda40bc124b0ec543f |
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck
| MD5 | 269c1d05f088fff4297fb48c1980bdc2 |
| SHA1 | 00e0f93ebd3450d23ffc873017ac744d45526f54 |
| SHA256 | fd5f964f5a4229210a457da73443f87ef8c4ee2dcc4ba3ec09baa37a0d6f26de |
| SHA512 | 1190d959062c7374f655c2c7041fe5807520bfbd93f0881f7864d457e87a223c7efb0a6f112080dd3659dd0587b482e2243eaecaf95d7587018a718152f0624d |
C:\Users\Admin\Desktop\UnpublishRevoke.xlsx
| MD5 | 4f024e3d5e226405d5f29364a8fbc9a9 |
| SHA1 | 35d0d604056a35d6cf82e66cd87e63bc3173059d |
| SHA256 | 86729d47b20a6e3083f7bff5f1ea41f520a49e24ac5e09ffda71939f45fdcf92 |
| SHA512 | c4db9aea04f7d91eba1cee2a9a249bf9f142067a8ab00171a5d4000e55a1d260a7f3e8233ca4be08d127499c78101f110fd5cf6f80daef9d7d57501a8efec898 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:27
Reported
2024-10-18 02:30
Platform
win10v2004-20241007-en
Max time kernel
103s
Max time network
153s
Command Line
Signatures
Renames multiple (189) files with added filename extension
Drops desktop.ini file(s)
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe
"C:\Users\Admin\AppData\Local\Temp\aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/1528-0-0x000000007460E000-0x000000007460F000-memory.dmp
memory/1528-1-0x0000000000A70000-0x0000000000A7A000-memory.dmp
C:\README.txt
| MD5 | e5947abbf99045df634eede07180fa46 |
| SHA1 | b3506e3118715199707ac9a62557fcb4512719ac |
| SHA256 | 98611e811a96098298daa934d52960ce9f716a36ae3fdfc316b2b75ae2b54830 |
| SHA512 | e8fe24857094c4f07dfd584120be204f41cf057e3cf3bd5ade2c5f7cc88bfaddba0f4d5d26a6d2e201894a0c284ba64393f68216556f48a4014a98be90b9a49c |
memory/1528-46-0x0000000074600000-0x0000000074DB0000-memory.dmp
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
| MD5 | b98059b4d884f2df2b320a5a105834bb |
| SHA1 | 5d65f1a7fd7d39c46c78efd645f5ce60cdd02124 |
| SHA256 | 5aaaaa39919a6ecfa8c95a73693cd2324fd96fc41010e703e5e582e3566ff75e |
| SHA512 | 9034018bd82942d39fdeaf6e7e107ef7cda2a7420ab5175bf0f8d35b7f5943d7508ee4ece0bb08fbc03d72dfebccf7a186634dd11bca8ceda40bc124b0ec543f |
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi
| MD5 | e23b59eb72f034d1e3e4ec3e73bf63a9 |
| SHA1 | 3c54082f61ff159d7c83280cc04863da996aeee6 |
| SHA256 | f7d736e38dc58b9dd2a5af766415263b7a65cc70efebc3c26e43ab1e7c7edcc0 |
| SHA512 | 928611efe25f226b77981e53a519ddcb0f26338631e650e6d25d81fa311b1a38d1a7c49004338f681c737094adc87ae183e9492d040a29e9a58e4fc1b32ef207 |
C:\ProgramData\Package Cache\{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}v48.108.8828\dotnet-hostfxr-6.0.27-win-x64.msi
| MD5 | 3311e8d636121c155902d38fc99e128a |
| SHA1 | 688df6a210282bda8ae7f8ad22d9928da76e9727 |
| SHA256 | 0a18a1a15ba8351dc451ffb820fe8dd51572bb72b0dd60118c1d71f95ccd9871 |
| SHA512 | 426eb689f67bf739ea0086c80e31a2c1f1147c5f5952e02fce2e120b0d3438467f95426a22492895e837b0da3972c32ec36d40a9195f5372fdf7369bac4daa82 |
C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs
| MD5 | 379d6bad007316cf807ac3c5bc7b1145 |
| SHA1 | 6cc4f921978a7981ca6b7ee7d15540edeae0269c |
| SHA256 | bf9affa0444eb8d1711ddd8a6ea9b08f0c19d8d5d667b81bb1dfb4eec58c64ab |
| SHA512 | a9e8bb57e91f5943f48da2719e4e7a4bdef6daba9f6e17cf0ecf73c877fa371076d071070597fea95ee21ccc8b26ec170c615a18c0569ad9e47618a52fff9a6b |
memory/1528-1359-0x0000000074600000-0x0000000074DB0000-memory.dmp