f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
Size

76KB
MD5

9673b32986878c66cd8e06100798a472
SHA1

a9434f865e648a77881406fce61e1aa34d72b66f
SHA256

f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec
SHA512

86d196c08463d7b20d5aba44d9670d29e1d5c0e8046588ef5db01ac4d20ef20d3133b1e0b4e6e3c324d5942df9707fcfab6fc230656ff94683f9f332d3986440
SSDEEP

1536:W7Z+pApfGQ3y3RWvfmRfm9sKsSd55tDYTYx:6+WpDfmRfmhJts8x

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hu.pak.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe

C:\Users\Admin\AppData\Local\Temp\f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe
"C:\Users\Admin\AppData\Local\Temp\f39f86d5646b306f1222226c24d2fba661bd4d52e5c7ec9ecf7df07c90e708ec.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
76KB

MD5
1bb9233cc2f9dff737393f4cc2e149b5

SHA1
1c1a6f58d65a7c2d72e146eeea5330977b02869f

SHA256
b6103767d4e159d05d3c184dcff0d120f19e88b256d7736025401701241461bc

SHA512
c43e419265c99bd8e89318edc491f8d2e33720b6a24fde8d5562a688e9a33988eba6285b760c4c265ab9fcce5197180de3a05bc89a7d5a443cd0a145d604fc05

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
175KB

MD5
3cfc29f9c68c67f33a6b4d840a86bd4c

SHA1
fca4e08f44468f870d99cc8a5346bd46d1ceccc9

SHA256
97118a15d33d716ea0dbb6458e42aa938c161240476108f9632526cbd32c1232

SHA512
2d6ed9c302f998d44584dda8a59afda9e682ccda26d5332b6823ee24ad66d652eebcd8447a55533890497e2b24ce5824bd30036620379257727314cb94327832

Download Submit