Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 04:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe
-
Size
40KB
-
MD5
dfe36dac618af425c296a414dd70899b
-
SHA1
0104a9cc587c4f00c00dbca38cde98b283d44528
-
SHA256
f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12
-
SHA512
19eec3598da432cb67d05a1249a009a2215bec92a026c69460cf7d6fb25408f46be26a08f02e976871e19887f4515e26e299fd5bd768e5c1401a2fca0ccd5740
-
SSDEEP
192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJH6vBSSvBS4FmYZs:yBs7Br5xjL8AgA71Fbhvx/5Xs
Score
9/10
Malware Config
Signatures
-
Renames multiple (5212) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\7-Zip\Lang\ps.txt.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\7-Zip\Lang\ta.txt.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySite.ico.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe"C:\Users\Admin\AppData\Local\Temp\f2c2e3963859a83c4f82d4b7b0d34742727cd4eca535ab4181a89a811ca0fc12.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD553c6806275713df179a61eab5169f1d9
SHA1456c40ef01b34154b77c4776625a56f73184241f
SHA2566c18d0daf95b76a8db52302df89d8cf4a0384b4073982e276bc2d52fb94c35d9
SHA51261b0a60747e5bf92bc0221c9ef1bc15689b75212517ad580c83e68a22171dd91f45d42c1685948354a14d75c58aee2879d965bd50ae002d3f46287e30b8e6774
-
Filesize
139KB
MD5031fa1e74911bce65828c16debf6405c
SHA1e556569618096446da4b3e586710282c4cc99b39
SHA256a7f524eb29862dbbfb5cf63cacf6b025993fd48ce4b3f2965f1474ee7eee98bd
SHA51204974ac52f0b0c9dba368ba184d3f228cf0285ede87cfb569e8259de2b43acb27577279cd049e8d75ec4605b9744591bba69a5de0e00c0db0b11ac35a6f59123