a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
Size

149KB
MD5

798f3a3fddcabbc80f9f5c68f94f0408
SHA1

0172c7c3401dbecd89e562167e9dc32b52da7652
SHA256

a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe
SHA512

d99339154fe1eeac97a6c6a7858804d465bd741d89a2391716e87a1875f17789ad12b77a7aba3d0f68bf2196499dbeef876e5f173b596e04c84b5114b7461170
SSDEEP

3072:6rWpcsHEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsP9iMGfU8:tb9iMGsSaOyif

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4530) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe

C:\Users\Admin\AppData\Local\Temp\a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe
"C:\Users\Admin\AppData\Local\Temp\a2d1a361dd68d5c9d1137efaaf9ae7e82c763b9e6472bda985188518c92c5fbe.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

Filesize
149KB

MD5
d003d95d8250153d21bbc81c9bcc19f4

SHA1
654f45c5468f32db16e0ab8f680289905d2c58af

SHA256
18dae9e8ac84f53c621fbc604834a4234895a77fa69843e0686a515b99723e17

SHA512
c376a874ee19b691b5136e5601cc54e4b4b5b9f1ec8017e55cf37403e41b7496832e1104d497c7fac47c5d6874917bdb4e1a66c6e117974b491a0086e4ab9fa5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
248KB

MD5
683114c04c08d98d7a8f2eb53c41eb16

SHA1
631740113d22d005b49a73b282584faf88b8f401

SHA256
7034e8538e8c336f1887b9736898b377b2b548983666fa6050810e3b2e5e6a55

SHA512
27cde15f88d793a53930feb1270d2e068cae8a8246b921d4a6e908a81f73a7931cfb8d09390ee079848c6017bd4d15457ba5a781d3151e7f2853ddeeafb37127

Download Submit