fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
Size

57KB
MD5

c51958289d5d4c79ba5937210c968a81
SHA1

ac10a070356bc43d49879e24e4b121e7dc1d4d29
SHA256

fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a
SHA512

91c6227f72169c830ad50cb20e715d9900300b07e38f1ed8e735cb752bf5cb5c54156f2f17f73e0d7f21571ee6d134c75ca426790ec5edf42e53a8cc722b26b2
SSDEEP

768:/7BlpQpARFbhIYJIJDYJIJxfFpsJcEKLF/MF/28HaT99:/7ZQpApze+ejfFpsJPKZ2e8HaT99

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4842) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONWordAddin.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\desktop.ini.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe

C:\Users\Admin\AppData\Local\Temp\fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe
"C:\Users\Admin\AppData\Local\Temp\fbd91c33db2d2deec1779820d1bd197734321e4a007beddf8a1185a1a5bc667a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
57KB

MD5
27cf618b8459511c2e1b3f0afd2104ae

SHA1
fa3e2e3b5ad199e3f9282499d291b3b8969bb037

SHA256
c57ee25c76ac2166e5a3327776eb7d5e6a87e5cc063574996aa3ccd68e12ca6d

SHA512
497505b5daa3a40feadbc8334253cfe5e882b75d45175b0dd3ef98ba4449a23fc0859850b3cec963263f04c169edfb69c1a9488ffa9334935fbdc10da6e06b0c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
2f67cc6cb8f78d9ed85fab5b63c98e11

SHA1
65de775206d16479370ae18e61755f514a181ed8

SHA256
a380dd9563a91582bacc88a80c8d2151667402e837ff884fae1b6f69794faa70

SHA512
4de72d0eceb822078a7bec3bfc5bcdc0cec78e013758cecf4e5636a1481586a57013fb1cc355c67487077bccf1edb2bddf8e71743739d0208409a8d6b9869dc5

Download Submit
memory/2720-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2720-1784-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download