06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
Size

37KB
MD5

7ede1cf1a0e13c0ded26499c16d37ca9
SHA1

39b439f68572e6dfc5aec7df61e56cb254a0c76f
SHA256

06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52
SHA512

4534d36b676506b4c36f17e924d1b76b62f85a12376d0e32d220417c5196d6d3622ab50ea0ebfe4d64e1680862dc370256ef4eded39038dbfdcc2a6344c5f51c
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LObC8p8A6:W7ZhA7pApM21LOA1LON6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-oob.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.boot.tree.dat.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-phn.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\instrument.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-pl.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.tmp	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe

C:\Users\Admin\AppData\Local\Temp\06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe
"C:\Users\Admin\AppData\Local\Temp\06c1a43fbcaf4a74ee1410ba0aed302c9026545b0e9ee197b99440ea8d134e52.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
37KB

MD5
760bcb11570121e175fa9debb2569b08

SHA1
9134d03e92a1d3855a603c1dd7d3930873bcad8e

SHA256
ce2d8bb1c729ef0e5996f1e41c457f0b65db34b15627240361f8dce5d36d1884

SHA512
3bfea2778dafdf511c1d32e3b573a6977835709377cd1186320eacc33fb574df574128eb5e68b381c92941a4f2ef809c276f060378b1516f4bba3a9167b5f078

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
136KB

MD5
fa9b4ddba8289bfc79233a31816c43ee

SHA1
28fdada0dbc4ac005abad73e37bc19661172aade

SHA256
80b115a27ab36c7b7756ff920aba1bd2e17b37576395007a53f519a076366a7e

SHA512
cbaefea315c348af5a9a4aa3e9abcf5d7d154e3528cd6e21a45f35e9c48dab89f0ca1aab8aca1cfd0861528873181b18be106b0f8e5eb45174fe3a4a83123a8b

Download Submit