f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
Size

52KB
MD5

7c0d0817c7785fa57e89e6ba6b81369e
SHA1

0c4b56ae4b8dd22a199f7fe51e94cca21d381614
SHA256

f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5
SHA512

440de04312021a4ae82a50131bbfc7f8a2891cc405d126862a882c024fc4369d27225313e137818a981ecd049a8e03f2266e6891dc6c6dce50b5b16f4e3ff5b8
SSDEEP

1536:W7ZppApBULcfpHLcfpyDoAQeLeAeLeJ0Jz2giz2gW:6pWpBwchcwD8z2giz2gW

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\C2R64.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.boot.tree.dat.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe

C:\Users\Admin\AppData\Local\Temp\f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe
"C:\Users\Admin\AppData\Local\Temp\f8c94acf3ef48bd2d02bcd4656d6f3f80c1a88fdd577bdce05cbe0aa2db925a5.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
53KB

MD5
04cd0b17274ed38961c31c3ebeed465c

SHA1
ac4e40aefbd9a21b699abce23ab97e8fd81440d9

SHA256
d400b85137e2d4dc8d3bfb8ea9d025fa2acbe5c0c3763b8a610394c9087941b7

SHA512
ba8ac7a5299b2e40ae324fe01ec935ed168fbb13e1e9900ce62442829d083cc76d3c6b9375e76a1b5c873d0c29473728c03dcbe71984863e1f0e1fa228fa3afd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
151KB

MD5
424b999ef9101dadbefa5c50bf7b9a72

SHA1
0d7dfa4dfc7fd83ce8f7dd76309418d1fc2b4078

SHA256
7060b9ac2c3ea539f3a6e91f90d1bae599135d6603042e0a8aa41b5b9d3c0dd8

SHA512
039763cbbd1a873a443fc8d102ec43e9f31f4c7bb3ecc9cc644df5ba233864fa4dcef70f86d7825c8bbc7e278d049afada484357ab5ec7976602ee0a080427ee

Download Submit