1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
Size

43KB
MD5

4d9e1da319c45f4bdae0d73d17dd81e9
SHA1

4a420920e88b0f346e86cebe1f73efca514ff2d6
SHA256

1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9
SHA512

86f5c627963a7e71ed1f832c110b5dd771d9a7f3775c01d422407b222cbce47b8d1c912e368f55a63045a5807f9e31c457408bc3a54dd22ea329b2bf4293935b
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLic4Qc4T7A:W7ZppApBULcfpHLcfpyDXcHcM7A

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5236) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\vk_swiftshader_icd.json.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotx.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe

C:\Users\Admin\AppData\Local\Temp\1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe
"C:\Users\Admin\AppData\Local\Temp\1f230c7b81edecbcdf0087c4d3cbda0029a9887c69e9a639542034eef155b8d9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1266786182-1874524688-71015548-1000\desktop.ini.tmp

Filesize
43KB

MD5
7957139746ad7ffdfbb1f2be60c01b30

SHA1
c37db13d3c3f823d4bbb2c8d451dc2db2d894060

SHA256
ee518fbf026c00f5c38061e702181358f9d750889cf929b36cec41729a64a851

SHA512
d9c56489adf1d2a8de6e1b7b3af7276ea08fd007d73676a847673373d3ae8ce27c1b3ea03d0f4eab4e0a09ab37148aecd3b0a8e832d226a881771fcbd2a76dc1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
624057b28a9b4238b30a65c659288ed8

SHA1
2a7f6359023ef864d94457b3b2aff692a9f42b15

SHA256
ccc80e543d685f5ec4ac8b7658684a71c953729106be9b8f9f0b689fdf8ce77b

SHA512
37301336b1d41f81bf384cb2ca76e7f7a66328a28e4936b0c6fe45cd7912fceb401d70fb562c3c041bfc467915f810e286701f2175123ffb33a55933695930f3

Download Submit