04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
Size

57KB
MD5

4f487a9421f5ed437282d652384aaea9
SHA1

eb831359f8b18fc55cbe3f4bdc8f519cc521088e
SHA256

04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca
SHA512

98ed997bd45eed1f5559e35fb8b51a62348e1e38ec57250b1dfd8705c0e40461f51686f4c831ab714ad43a88cacaca15c6e88b0dc163dc961f405611c96a495c
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBNKVkVYlIAItCCIntkntV/PMpMf1Dxp1Dxw:W7BlpppARFbhFAxC7ntkntV/kCHRw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\EditRename.mp3.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.WINWORD.16.1033.hxn.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyResume.dotx.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SETLANG.16.1033.hxn.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe

C:\Users\Admin\AppData\Local\Temp\04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
"C:\Users\Admin\AppData\Local\Temp\04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
58KB

MD5
4f00329c2382d4033a31174b22d438cf

SHA1
50813dc19e9c251a8e16c76d9f209848ffcb0183

SHA256
6f529269306b6a46946ea302c68e9982587bd4f9614b59ba097ec38e96e24ba4

SHA512
39787aa56892c27c040ecf00b84d5d0f397600f71e9fccfd82e4927894b2413c2f347328b892280fb617cbf70ba8c8bdd85a20301315d0dd1094793b154e9e43

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
58685e2dc80e1ad8c16aa61585552c1c

SHA1
3eac7bbfccc24df092d441fa423b275cef839ca5

SHA256
33c04b51266f47294bcf3584ecc5584ecc5bfd88578e5c5e293c10846c2b18b6

SHA512
0a553718d864cdd103029856b27bb9ad203b02ba8010094f0d74e5788a94a9d360015624477cbc2634b065672c148a9545d989e10deed4f0e9b5b4abd13a32b2

Download Submit