1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
Size

33KB
MD5

08aad3ace781d66fbe36c389b0d38483
SHA1

bac7c440417c2b0a1871874a00bcd32a8d891600
SHA256

1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c
SHA512

78bf42f28d45446244ae50a0618e9d5437bbfbf965775ff6b7deb772add5fa253ed81bb9abb69cedecd299e7d7ac5f1387ab86547d41b96d7b504bb95c2ee771
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHhpqzXW:yBs7Br5xjL8AgA71FbhvsR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5279) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SETLANG.16.1033.hxn.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe

C:\Users\Admin\AppData\Local\Temp\1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe
"C:\Users\Admin\AppData\Local\Temp\1f5b1ab2c406622e700748ab76e7d51ee8304198b103a2f32c6b3be7393dfb4c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-113082768-653872390-2867000172-1000\desktop.ini.tmp

Filesize
33KB

MD5
0cb7c68518779ed3fdc2f8b038de83dc

SHA1
fc74445ef74f59d8e578666b00593e2c9a84fb7a

SHA256
79b368e909be4e8ac4d5093ba3ad1db2be7fbcb620dd98df8a726498f8362daa

SHA512
30b9a27f6edc7fb04f95bd897e4c552e4f41b047d5c3a06e88769aa9f90a9c325228b953b511ccf5ce4de673b11456794899a40c79019bd694befad2f0d62129

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
132KB

MD5
f76ea694f77ceb1cffb54126dee8f03a

SHA1
63f63bfb06e7598c8474d008969ef0779b3c8cca

SHA256
2a8943021063abc8b26827604fb30174d90eff79d60fe6424e7bd404e409bc37

SHA512
f06b67639fb6cab16d15f771c84c5a3d08e9d15d5bea5128327c2704535126f0dfadbe11472d2e02e4b76d0f07e208035c86169db623fe0e7e1dfe20de765a74

Download Submit
memory/3364-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3364-2010-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download