f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
Size

95KB
MD5

40ec0acd22e64cdb836ed13ba9e5005c
SHA1

adc7eaae975f4f01453f04b52b80830fcf4ff0a9
SHA256

f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7
SHA512

784e337adb435af086d705df2656e21f8738355b4bbcdd7e77ac7186987fb6ce44e922c77a48b20892683416d303aa19f1c6a0d6727c0f9f33517356f874fc35
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhi:6pWpUFpEhLfyBtPf50FWkFpPDze/qFs7

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4873) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe

C:\Users\Admin\AppData\Local\Temp\f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe
"C:\Users\Admin\AppData\Local\Temp\f5ca17ea040fa40f03794386a658a5da7d8e75ed9801c866acc1aac5da2f83e7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
95KB

MD5
fa6bceb6cd37ffd3aa7530bb1fa06ecb

SHA1
881eb95798ed43fc6d6e6722fc19d9f11d3ff6c5

SHA256
a81fe9fb222f85a5c52c424af4154e222dfb1f73abbe766f667eeceed43ff872

SHA512
6cd08a0549a4cd3d47f172949742ee0352f8918567cf7a4113ad6c2fa7f846997e4ec34a4378d02ac9c772b03ca290aee675b04bd8ea80c6b9ad02ff1b90ca16

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
194KB

MD5
eff3215b9488be0e0f20b0c42a4972fc

SHA1
a761e86cd34faa7ad56885067479028b2d077d03

SHA256
f5294f4b62713f6eae987eacb324712d62e055e34961d9fbd2d58ac6a617bfe6

SHA512
1a37cd87fdd8521e1c2fe97032ed101ef4b757002151540816f35f0de34960edddcdcee75c1e93771719a7ac662e1fe72416522b901746119a45bd58a4f55259

Download Submit