4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
Size

79KB
MD5

31c4a440247d2e8daaf06f200399dcc7
SHA1

b673955405792a049a59584db76658483e7a6514
SHA256

4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4
SHA512

f959515fa4d1cd0b6bc9db41873f0f46b4449ce481e841df3489ba54ed85d401af8ee2cb7331d42041b1e9b218e698acff04898a60e48a2c0ba87f43b0efd6c0
SSDEEP

1536:W7Z+pApfGQ3y3RWvfmRfm9sKsSd55tDYTYv:6+WpDfmRfmhJts8v

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5028) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.gpd.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe

C:\Users\Admin\AppData\Local\Temp\4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe
"C:\Users\Admin\AppData\Local\Temp\4c0f9c32661f96fa6e1c71e61bc31faf70347bff0e1bd9f41e101ca76dcf13b4.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
79KB

MD5
a52e59e60b54b58213e20e59b0ef8f91

SHA1
2deb03f9d9a35a989fb8c4776787a78b525300e5

SHA256
6bbeddd99b10ab15af0a404ebab3fe3b1ea559246a9239f68ebaecea603fcf62

SHA512
5f21f72c9a519c32b991137584c43ac4d58279245c51e6d58c1dcd3d51179443626ddfe259a1c1c9822dcdcbd256f9119e167ca4f9be7a476142dc1290633b55

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
178KB

MD5
2a1c051dd33dedfa628530cd788b2e64

SHA1
b733244209b7cb7cc97542e0accb9d8b3024f6b4

SHA256
05d76170370d8bcb904b5f0b85756b7b6d7123c08aec3138d80d995adee6c668

SHA512
85171328137126148ad4c5b07e9a2c5aaf9242a184fab498b1058756a45f496533c331c132e31f84a207058c4632dbb8466a584c61aca3ceeb401a633c8dc736

Download Submit