f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/08/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
Size

37KB
MD5

edf1d402e90437214c83932626371bb7
SHA1

3519acc63c888a9a11cd5ea256f3dfe9614b909e
SHA256

f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469
SHA512

593a122c5d28459ebfadccb666e30fb5c86c81c0cfe79a9fe66d21d521b4f166b69271e4e520009b9a2c10693d4a9fdc4f5569098310f0816e2fccae368ca61a
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzYlzGAlzGY:/7BlpQpARFbhNIAGoGY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\de.pak.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jre-1.8\bin\jli.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe

C:\Users\Admin\AppData\Local\Temp\f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
"C:\Users\Admin\AppData\Local\Temp\f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
37KB

MD5
f5af82b7346d29a2e6dbfeab35c8c420

SHA1
19e668e9477c64ffca9cc7328db58448fda3adbc

SHA256
3813dd5160136bcf775fa03daddb1f24f8c8c73410fd9d8605d76b914fa169c7

SHA512
7c25c00a2b28d1fe0f2720834bdf00450d7881b3c18b7051586fe15394f897c1ccb2d6f0145789fc0fb5cec3292ebb1565ad7f47f54b341cbaa3ee5210a0b51b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
136KB

MD5
d62afac0b09ba5a97591d395ec35346e

SHA1
3ddbe7b1d56ca69d34279edb2818da74cb5f5b35

SHA256
628286d5167f9363d968ef4d68bf5318f5555c6bfd6bd3f9229b50dbd2910f95

SHA512
736d7913bb1ef78ba4c1677d8e8b793cfc8848dbe04071cb9e92e6fb5035eaa878585c0e08f92787ab09d660129c0584778fa99ae972b79203faa9515fbe8090

Download Submit
memory/2964-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2964-1920-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download