93b3dfeae526ce535c6ba73ea064117614c6305a9b2452585bd0e24e59147f90

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f59194089f7ba71d020afc2e378f7c00N.exe
Size

42KB
MD5

f59194089f7ba71d020afc2e378f7c00
SHA1

b26969be2f7f4874cd27d549ff5ef0c840560f93
SHA256

93b3dfeae526ce535c6ba73ea064117614c6305a9b2452585bd0e24e59147f90
SHA512

f128f90fd7a75d5c25f33e1a9f6078fa8352c57a0c22a85c3a7064f4ba0fef52823e4e7a8674f3d6e85a30e291937cb1b003606b7930250c5dd04f2db36b7695
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpXfxRfxFHtHR:W7ZppApBULcfpHLcfpXfxRfxFNx

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4698) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\InstallUninstall.xla.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.tmp	f59194089f7ba71d020afc2e378f7c00N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	f59194089f7ba71d020afc2e378f7c00N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f59194089f7ba71d020afc2e378f7c00N.exe

C:\Users\Admin\AppData\Local\Temp\f59194089f7ba71d020afc2e378f7c00N.exe
"C:\Users\Admin\AppData\Local\Temp\f59194089f7ba71d020afc2e378f7c00N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
42KB

MD5
111222dfa17ae9f476134f29d0127947

SHA1
bd9eef7f01525f5db7af970d39d05d5773be5bb9

SHA256
474c879f1008a8b1019146d540a828ee1b69456b5c2b683365225acf5a34e0d2

SHA512
bfaa0022eb0de875e5cb98352f4579255d22b4f97fcc48ca2e87bbf1904653cd36bd305690018d198f20c753a6639b33bad86c093ecb14fac7071853f44f51fb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
e0c2cd572f2ecacbe293b8effeb76e11

SHA1
6126bdc2a4df2477c7d31291a71cbd5b9e9edeb7

SHA256
33672724e357974859c881dc2cefdc66fbe9691e44c82045bd81c7f5b4d6e444

SHA512
5bbf798725a0d5f6033db6e2f92de11c43e1241324352426783178daabb3de185567c2bb5873acbae1807952f72704ee83bcc72ab2744de37babc9b7ace68b2b

Download Submit