7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
Size

42KB
MD5

16e41e3e39afd6336d664603832e522a
SHA1

6919202e250bc23c2aff387faaf3106edd60906e
SHA256

7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb
SHA512

9a34a8ceeaec64225c30f03da83792620a76b1c86e80ed996b6f0cafa89ae71b5be4b27e9644d7a7296079e9a196134924e3ad21f4d5ebf10d9d7e868b40d314
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3ojoPWjyjoPWj+jUDXV8gcjUDXV8gY:W7Blp9pARFbhxwWj6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe.manifest.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.tree.dat.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FRSCRIPT.TTF.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe

C:\Users\Admin\AppData\Local\Temp\7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe
"C:\Users\Admin\AppData\Local\Temp\7f6fa607957f3d4868b3923c9ba624248197209694eff70f4e72d736bf8cfcdb.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
42KB

MD5
df4b7bb9d5bb3cae834aeb386522993e

SHA1
4251e820f6b7e2a87f05361a4edac9435a227631

SHA256
454a3374f8a94b95032fcc73ca124f90df88bfb59997f81dbe5d1863d3da94a0

SHA512
28a6e6f5d264328e125d7d03e585d0384c65b40102dffd54a054d34763794eaaec593b92f9df3d65c8b94cb19f537cbdf04d7bb3bc707728e0b2a3cd088655b3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
141KB

MD5
688baa97b522938ae9071073db8923e4

SHA1
53b1441b41e7a4dd2dade524452e5321941241bf

SHA256
3c2502d089044354aaea66546060b19ef3709a680c14ab521a1b172e5eaceacf

SHA512
86b3d65e787383a1518de4215e3bd92d2a1a92b698d42d50a21eb053d3ab89aa3f9d53bf881f8d8c0bbba1c59375f55710796fd495ab2f48dc2ec1c1e8392551

Download Submit