0c35ab1832945198c2e913891461a84f4872b5be60a64fd91084eead9e4e23e6

Analysis

max time kernel
131s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

host.exe
Size

16KB
MD5

407318721d5587b5db6ce7873890db96
SHA1

87e69c62e196961f51b3a973a6b7e810dcb922c9
SHA256

c641e79ae3fa662a639f4fa3a0cb8723030c114bfb2d7ffad488de73afd574ce
SHA512

2dfa2e3c1ad5ba3e4dd81bfd646995fdcdc20c1080974a26cd01254506ba32d394693144758cf71bdc5726b71aa7721551ecea4f0bd8ca2ccffc17a837ff6f74
SSDEEP

384:y0sAA+LPsuTnVshZ9hA+b3Qj5MRjV1V/QBOIjLb1:yaV/+b3N31V/yb

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1306) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\README.txt	host.exe
File created	C:\Windows\SysWOW64\drivers\afunix.sys.abc	host.exe
File created	C:\Windows\SysWOW64\drivers\gm.dls.abc	host.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt.abc	host.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	host.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	host.exe
File opened (read-only)	\??\M:	host.exe
File opened (read-only)	\??\T:	host.exe
File opened (read-only)	\??\A:	host.exe
File opened (read-only)	\??\H:	host.exe
File opened (read-only)	\??\J:	host.exe
File opened (read-only)	\??\V:	host.exe
File opened (read-only)	\??\Z:	host.exe
File opened (read-only)	\??\E:	host.exe
File opened (read-only)	\??\R:	host.exe
File opened (read-only)	\??\U:	host.exe
File opened (read-only)	\??\P:	host.exe
File opened (read-only)	\??\Q:	host.exe
File opened (read-only)	\??\S:	host.exe
File opened (read-only)	\??\W:	host.exe
File opened (read-only)	\??\Y:	host.exe
File opened (read-only)	\??\I:	host.exe
File opened (read-only)	\??\N:	host.exe
File opened (read-only)	\??\O:	host.exe
File opened (read-only)	\??\X:	host.exe
File opened (read-only)	\??\B:	host.exe
File opened (read-only)	\??\G:	host.exe
File opened (read-only)	\??\K:	host.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady.dll.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\sndvolsso.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\tapisrv.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\downlevel\api-ms-win-crt-string-l1-1-0.dll.abc	host.exe
File created	C:\Windows\SysWOW64\es-ES\devmgmt.msc.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\LockAppBroker.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\mfcm110u.dll.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\eapsimextdesktop.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\rastlsext.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll.abc	host.exe
File created	C:\Windows\SysWOW64\MapGeocoder.dll.abc	host.exe
File created	C:\Windows\SysWOW64\fr\README.txt	host.exe
File created	C:\Windows\SysWOW64\Com\comadmin.dll.abc	host.exe
File created	C:\Windows\SysWOW64\de\AuthFWWizFwk.Resources.dll.abc	host.exe
File created	C:\Windows\SysWOW64\d3dramp.dll.abc	host.exe
File created	C:\Windows\SysWOW64\dsrole.dll.abc	host.exe
File created	C:\Windows\SysWOW64\DXCore.dll.abc	host.exe
File created	C:\Windows\SysWOW64\@AppHelpToast.png.abc	host.exe
File created	C:\Windows\SysWOW64\avicap32.dll.abc	host.exe
File created	C:\Windows\SysWOW64\downlevel\api-ms-win-shcore-stream-l1-1-0.dll.abc	host.exe
File created	C:\Windows\SysWOW64\es-ES\L2SecHC.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\combase.dll.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\sendmail.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\downlevel\api-ms-win-service-winsvc-l1-1-0.dll.abc	host.exe
File created	C:\Windows\SysWOW64\es-ES\inseng.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\dbnmpntw.dll.abc	host.exe
File created	C:\Windows\SysWOW64\d3d10.dll.abc	host.exe
File created	C:\Windows\SysWOW64\cscobj.dll.abc	host.exe
File created	C:\Windows\SysWOW64\DiagSvcs\DiagnosticsHub.StandardCollector.Proxy.dll.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\imapi2.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\MSDRM\README.txt.abc	host.exe
File created	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt.abc	host.exe
File created	C:\Windows\SysWOW64\mf3216.dll.abc	host.exe
File created	C:\Windows\SysWOW64\aclui.dll.abc	host.exe
File created	C:\Windows\SysWOW64\dmdlgs.dll.abc	host.exe
File created	C:\Windows\SysWOW64\mfc100deu.dll.abc	host.exe
File created	C:\Windows\SysWOW64\migration\msctfmig.dll.abc	host.exe
File created	C:\Windows\SysWOW64\fi-FI\README.txt	host.exe
File created	C:\Windows\SysWOW64\d3d10_1core.dll.abc	host.exe
File created	C:\Windows\SysWOW64\DisplayManager.dll.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\WABSyncProvider.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\Windows.StateRepositoryCore.dll.abc	host.exe
File created	C:\Windows\SysWOW64\README.txt	host.exe
File created	C:\Windows\SysWOW64\de-DE\wevtfwd.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\EapTeapConfig.dll.abc	host.exe
File created	C:\Windows\SysWOW64\en-US\WinSATAPI.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\sppui\README.txt	host.exe
File created	C:\Windows\SysWOW64\de-DE\Windows.ApplicationModel.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\downlevel\api-ms-win-core-privateprofile-l1-1-0.dll.abc	host.exe
File created	C:\Windows\SysWOW64\MSFlacEncoder.dll.abc	host.exe
File created	C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-1.dll.abc	host.exe
File created	C:\Windows\SysWOW64\downlevel\api-ms-win-core-localization-l1-2-0.dll.abc	host.exe
File created	C:\Windows\SysWOW64\es-ES\NetworkItemFactory.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\MapsBtSvc.dll.abc	host.exe
File created	C:\Windows\SysWOW64\msg711.acm.abc	host.exe
File created	C:\Windows\SysWOW64\BWContextHandler.dll.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\tapiui.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\taskcomp.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\deviceaccess.dll.abc	host.exe
File created	C:\Windows\SysWOW64\dsound.dll.abc	host.exe
File created	C:\Windows\SysWOW64\main.cpl.abc	host.exe
File created	C:\Windows\SysWOW64\AdvancedInstallers\cmiv2.dll.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\listsvc.dll.mui.abc	host.exe
File created	C:\Windows\SysWOW64\de-DE\wlanui.dll.mui.abc	host.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\MsEdgeCrashpad\settings.dat.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Tasks.Parallel.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCommon.Thumbnails.dll.abc	host.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.abc	host.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\NoiseAsset_256x256_PNG.png.abc	host.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui.abc	host.exe
File created	C:\Program Files\Windows NT\TableTextService\README.txt	host.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.abc	host.exe
File created	C:\Program Files\VideoLAN\VLC\COPYING.txt.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\VungleSDK.winmd.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine.winmd.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\DecoderAppService.winmd.abc	host.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\README.txt	host.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\WindowsPhoneReservedAppInfo.xml.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\README.txt	host.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\FFmpegInterop.dll.abc	host.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Gamerpics.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\logo.png.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxSignature.p7x.abc	host.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxManifest.xml.abc	host.exe
File created	C:\Program Files\Windows Media Player\es-ES\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Tasks.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.Native.dll.abc	host.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.TypeExtensions.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\resources.pri.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\sqlite3.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\ChartIm.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SpeedSelectionSlider.xbf.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\EntPlat.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\BuildInfo.xml.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\rtmcodecs.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140u.dll.abc	host.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.abc	host.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.abc	host.exe
File created	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x.abc	host.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\msosvgim.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\PointerIndicatorPixelShader.cso.abc	host.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\README.txt	host.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\README.txt	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\mrt100_app.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.OneNote.dll.abc	host.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.abc	host.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\README.txt	host.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.abc	host.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-netevent.resources_31bf3856ad364e35_10.0.19041.1_en-us_38798ad25af4de0b.manifest.abc	host.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..anagement.resources_31bf3856ad364e35_1.0.0.0_es-es_1ed6b3382174d4c0\README.txt	host.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_10.0.19041.1_es-es_11d38dc37c68ddc1\System.Web.Entity.Resources.dll.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-imagesp1_31bf3856ad364e35_10.0.19041.1_none_9a5903c09209a3fe\imagesp1.dll.mun.abc	host.exe
File created	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_1cad2165a3d16b35_profsvc.dll.mui_32482e9e.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.19041.1_es-es_c0476ba913952b3f.manifest.abc	host.exe
File created	C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_psdesiredstateconfiguration_dscresources_msft_scriptresou_8db33f971ae881d7.cdf-ms.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-h..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_uk-ua_2eed497c75baf8e9.manifest.abc	host.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-WMPNetworkSharingService-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oledb-rll.resources_31bf3856ad364e35_10.0.19041.1_en-us_2d69da7c9914d44e\README.txt	host.exe
File created	C:\Windows\WinSxS\Catalogs\b5af56735c667c097e1e74fa6a6f4d20181bb846820e48e2d77b558a40308575.cat.abc	host.exe
File created	C:\Windows\WinSxS\amd64_hyperv-vmicvdev.resources_31bf3856ad364e35_10.0.19041.1_de-de_2cf1b3b91bef6d23\vmicvdev.dll.mui.abc	host.exe
File created	C:\Windows\WinSxS\amd64_mscorlib_b77a5c561934e089_4.0.15805.0_none_22bbf2faac84b21a\normnfc.nlp.abc	host.exe
File created	C:\Windows\WinSxS\wow64_microsoft.security...gement.policyengine_31bf3856ad364e35_10.0.19041.746_none_1582fc9b8215e8e7\AppLocker.psd1.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-xwizards-duiplugin_31bf3856ad364e35_10.0.19041.1_none_1aadd473716d8baa.manifest.abc	host.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wlanpref.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5794789dae2793cb\README.txt	host.exe
File created	C:\Windows\WinSxS\Manifests\msil_microsoft.security...ionwizard.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_026577e049dbfd6a.manifest.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f.manifest.abc	host.exe
File created	C:\Windows\Cursors\arrow_m.cur.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ie-behaviors.resources_31bf3856ad364e35_11.0.19041.1_de-de_6868c627c711be56.manifest.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_it-it_00dd419f2118ea10.manifest.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-hgattest-catrustlet.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c97f49336e2c9c8e.manifest.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..lient-wmiv2provider_31bf3856ad364e35_10.0.19041.1_none_57caa85d110ad829\README.txt	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.1266_none_d7b5820f5a89765b\ti_dnn_fast_it-IT.table.abc	host.exe
File created	C:\Windows\WinSxS\Catalogs\a9c39a91900390bbeb9ecbff52bf1f17e8f69b24902daaaf15556409408c6326.cat.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-g..maker-mof.resources_31bf3856ad364e35_10.0.19041.1_es-es_55ec70bff5fbc68c.manifest.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ime-korean-skfpad_31bf3856ad364e35_10.0.19041.1_none_027a73bcfbf78c21.manifest.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\msil_microsoft.windows.d...commands.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_df9dd9f3c91c8f98.manifest.abc	host.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-u..access-userdataapis_31bf3856ad364e35_10.0.19041.746_none_f22bc9cc54629ea4\README.txt	host.exe
File created	C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsDolby-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.abc	host.exe
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.546_none_b400f714c4b791cc.manifest.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-filehistory-core_31bf3856ad364e35_10.0.19041.264_none_92ee62a6d5b1c18a.manifest.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.1266_none_e0eefe63c72d43e8\README.txt	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-mp4sdecd_31bf3856ad364e35_10.0.19041.1_none_c4d976180c86b831.manifest.abc	host.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.264_none_44ecb7e259b46a0a\bootvhd.dll.abc	host.exe
File created	C:\Windows\WinSxS\wow64_microsoft.dtc.powershell.scripts_31bf3856ad364e35_10.0.19041.1_none_c197fa97b94cfe01\MSFT_DtcTransactionTask_v1.0.cdxml.abc	host.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_10.0.19041.1_none_5bf454b921ca2c86\README.txt	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deviceelementsource_31bf3856ad364e35_10.0.19041.1_none_0863ad02c2d353da\README.txt	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..cecontroller-minwin_31bf3856ad364e35_10.0.19041.928_none_1d29b4735b607954\README.txt	host.exe
File created	C:\Windows\WinSxS\amd64_netfx-mscorpe_dll_b03f5f7f11d50a3a_10.0.19041.1_none_711f2defd8bbc309\mscorpe.dll.abc	host.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-msctfp_31bf3856ad364e35_10.0.19041.546_none_b32b50bf82215109\msctfp.dll.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_en-us_56acde8d587f4435\DiagPackage.dll.mui.abc	host.exe
File created	C:\Windows\WinSxS\FileMaps\$$_boot_pcat_ko-kr_d96bc3742b535818.cdf-ms.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-fontview_31bf3856ad364e35_10.0.19041.1_none_04a9c5158a354e7a.manifest.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-v..eocontrol.resources_31bf3856ad364e35_10.0.19041.1_it-it_04f3a16e1ca58747\MSVidCtl.dll.mui.abc	host.exe
File created	C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_networkswitchmanager_de-de_00bba70f50cf3530.cdf-ms.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526.manifest.abc	host.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..evicecontexthandler_31bf3856ad364e35_10.0.19041.1_none_5dbcb7840606bee3\RemoveDeviceContextHandler.dll.abc	host.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1023_uk-ua_a58c0decc0c52e37\comctl32.dll.mui.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..dlinehelp.resources_31bf3856ad364e35_10.0.19041.1_en-us_13590d14d7ece9c6\README.txt	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1_none_11b2da2074e7d6e4\PasswordExpiry.contrast-white_scale-400.png.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-search_31bf3856ad364e35_10.0.19041.746_none_d30a83ff81d13ba6\logo.contrast-white_scale-100.png.abc	host.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wpd-status.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6b409cc788489cc0\portabledevicestatus.dll.mui.abc	host.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-msmq-adintegration-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..-taskhost.resources_31bf3856ad364e35_10.0.19041.1_es-es_b1e907239ad88df9.manifest.abc	host.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-n..orking-connectivity_31bf3856ad364e35_10.0.19041.746_none_1ac92c26b9949bd4\OnDemandConnRouteHelper.dll.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_8e7e66b9265396b7\wuapi.dll.mui.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..guard-wmi.resources_31bf3856ad364e35_10.0.19041.1_en-us_48ba52bf68b5ce59.manifest.abc	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..ty-client.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fb42bd2a30338d73.manifest.abc	host.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-Package00~31bf3856ad364e35~amd64~~10.0.19041.1288.cat.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-10.htm.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..oryclient.resources_31bf3856ad364e35_10.0.19041.1_en-us_778fb252688556d9\CallHistoryClient.dll.mui.abc	host.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..o-multi-dimensional_31bf3856ad364e35_10.0.19041.264_none_fc888bc204d36fa1\README.txt	host.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..ingfolder.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_8ad194b4178ef8ff.manifest.abc	host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3692	3516	host.exe	92
PID 3516 wrote to memory of 3692	3516	host.exe	92
PID 3516 wrote to memory of 3692	3516	host.exe	92

C:\Users\Admin\AppData\Local\Temp\host.exe
"C:\Users\Admin\AppData\Local\Temp\host.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\host.exe
  "C:\Users\Admin\AppData\Local\Temp\host.exe" --foodsum
  2⤵
  - Drops file in Drivers directory
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4156,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui.abc

Filesize
3KB

MD5
27540784a877a58eb84d2650420e3e80

SHA1
310cb50b9f52e2b9dbbfd5b168b26eb0d51f06a0

SHA256
e809df7acb4ffa17e104d039a118f86d3b41e40e45a40a082dbafbaa981ccb45

SHA512
e22fca0ed923cf52c983b43e9ef5268d12e9fb83fdee11db0229e980a5b30bd4999cd440893011f84fe922978899a373a7976dfb35ddf03eb26985c7781069ad

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\README.txt.abc

Filesize
112B

MD5
5b9686b2080e06233af977687cc62cd9

SHA1
f7f8009d83de785e9ec3ba8327615dece138ff44

SHA256
3ea7e90045b84e9bd5829d25b9f614b050677c0b9f8e0a3ef088c9c9d5952d30

SHA512
18c1840a9b536415a4534e6d7319b17860dff6ffaab5c78eeaf192b51f55d15bf7799f89d70276a4cfcb6c0c33cc9bfc30a7c54f0dfa80013838c34a502ffe66

Download Submit
C:\Users\Admin\Documents\GetMerge.vdx.abc

Filesize
403KB

MD5
361d25f05789b4ccb75b5f6bb3fc9c93

SHA1
4bc552d5b2892fd8bef9e5af68aa5db12c18fae8

SHA256
4e5ebf9e83e6a140f75385c66bce8d963eb78468606d552ee94d3826cb95a6af

SHA512
3d78ff085b327eff82042cb620a9a199346a29be7fd6a182838c8871eea0499bb63557bce1d7a4c5f3f2d408106f959e206b6b3c6690a45edcfb91aefb850a3c

Download Submit
C:\Users\Admin\Documents\README.txt

Filesize
111B

MD5
c886618651a2cca2d13713a3638cdf15

SHA1
659fc81b0d3f02d24423f1b0d71e59c8abf3e254

SHA256
bac1c27230f8a04a56555076a9d32f411507cd535c59cd9ce937ddc204481bf8

SHA512
5a1659c39e62f8ac064b3240241610e491eeb72b10ee30b5b699befd1be45e4249d584d8e4c577761112f8999a351865bf0e40da4f62b19ad92987dcd95275c7

Download Submit
C:\Users\Admin\Music\ReceiveDisable.ttc.abc.abc

Filesize
512KB

MD5
79fb58ce9a3cee45ed5aec61614b52aa

SHA1
bd25fdb96db4d213b8cfe9064598814a738365ef

SHA256
50d13360b0931fb5280009544620cf887c51602131c5fcfc1b1cb2df59b1e420

SHA512
8d2c3d04d7015fb11fc2329775a2fc8ed242ca1c5b00c90cac4d5291b9fde09807f7fbe98d7d00b0d8d89719147eba99c880ace79f69e2a31962e4dbf5c54507

Download Submit
C:\Windows\Fonts\8514sysg.fon.abc

Filesize
9KB

MD5
c089db5bc69d7af95c22a53e1ca80d4f

SHA1
010acbd1710e9cda39939223d68b23dee59bd1c0

SHA256
3242f5a82cb8ea43867bcf971479f9f806e31e89aca5a9eb75f3307e0c2d4245

SHA512
ac19993c467987682a5fc7e02cd085dd7bfc973721cded5bacdd98258241aa92cf84b75c7f6cd7df66a499d9ff7d30ff53d0713ad84c8cca295f84f4c9123593

Download Submit
C:\Windows\INF\c_camera.inf.abc

Filesize
5KB

MD5
474504d6f0075634c240713371bea660

SHA1
6809c2c78b826b84a06c23286adc042735813a47

SHA256
80f4b3b173782173bd888843961a8107e87ba57acb625229793f7144fc384278

SHA512
b9465a096426a9304b70a2d45c4b5262a046ca6771552105d0beca2b9625c2535ca705f8bf4cd1fcfce9c16e506c8b306680f030001e1b91683f3b66070dc1e6

Download Submit
C:\Windows\INF\hidirkbd.inf.abc

Filesize
4KB

MD5
ec0ad05a043db1d20abed34b1148503d

SHA1
8f41c1cf16014fb174a7fedb10aaf01e12700634

SHA256
b48b0da2e3b120efe9dca7b992d63313f1189649573eb9de9fbdc5fff23c5c94

SHA512
10a91e258c6d446db15c6bf33299f3040e0d62b3fa83eaa844a78147f63ed8f81f2d163805727fdf64126098c9010194d6d3dcd8aa532059e8b5d9078d1747e6

Download Submit
C:\Windows\INF\rdpidd.inf.abc

Filesize
8KB

MD5
7e1867885e2fc2e0d18ee4a8ca6b9f2b

SHA1
4d127cf46e13c32550f13d594d9a2a882c985ee8

SHA256
1912582036abd081f2eaf8f84e3da80e06e25d89a5170dcef02422a34ee89ab9

SHA512
999fb225ebf5c38267bbe97b0e67d6c2d3e0766bc545e3d6bc7989eadc0da57832bd95ea5b740ea9230035004207b2751f5a89918293e0fc97514da2083c7649

Download Submit
C:\Windows\PLA\Rules\Rules.System.Wireless.xml.abc

Filesize
156KB

MD5
c6134df2d72be15ef37c633b0b6ba86a

SHA1
5beb3912351a587bb4984fbe38c8273e448b3b3a

SHA256
51215ca06fa4bc849ce804ad26ad5a9d0f0e2dc3978f40a11e64b8c9d71d36a6

SHA512
276d2b94d952dd1f508e9fcacc797249fba1f8c62ca65af796b2af7bb88c4a8a54ea47a483716c6b4259511fd04f36cf02d8b73998e75dcdf0b5f8fdd50d619d

Download Submit
C:\Windows\PolicyDefinitions\de-DE\wwansvc.adml.abc

Filesize
7KB

MD5
37adb977997cc520a20046fb2f83dccc

SHA1
4dfd6e0e3986f79ea9fbd01b84ec449dae801acb

SHA256
fe97f01928806693f149e72fdcd7d088f56109e78e6dfe26077688c2fa9b2930

SHA512
6e7fb5a172b9cff602f7dbc580bb041565a252d426ba0af05c0444a4df331a9a68eabfc3ab264b48ab1465d76135b469f0ed7281111d50aa35dd2e56a2c1f0c7

Download Submit
C:\Windows\SysWOW64\CallHistoryClient.dll.abc

Filesize
140KB

MD5
9953d4f636a5e1557be751f00cbed255

SHA1
9adbc0c7cef69bfdbf47efb21c6177f5d4d2363e

SHA256
881e6a6438f892ca58f8e2e7099d985667b56fb893892064dbce098930c4b4e6

SHA512
55e4bb3519eeca8ee29bae82f6d0e28aa5d6e61eacc0a406f2d80fb75a4620ba90e196d6872e53cc7c33c97a6ac7c8ba4f60e1dfefb9a435893b04965c27c9e8

Download Submit
C:\Windows\SysWOW64\bdaplgin.ax.abc

Filesize
74KB

MD5
e9e18094550dc5a07a8d0080c2472283

SHA1
d28b6934f5e243aa21a9c25b5affae9b942118f3

SHA256
12007f2d2cbe257487b8707674ed2ed74a6874f402680cba612b8374c055f5f0

SHA512
7517d09443285546635b30e6b81f52e7ee11d5bfa3a1409ad5f35f290948ffed9a1ec91e401074201eedcf7e9307c8a8c05d5633992fa7c94c3c7dfebe26719f

Download Submit
C:\Windows\SysWOW64\es-ES\ntlanman.dll.mui.abc

Filesize
3KB

MD5
615dcd0fca26b24735773a40f13ff1c7

SHA1
94b22c93e3e49d9e67dcefbfe28c850edb20ce5e

SHA256
553064931c1b951b7407fe663c075e5f3aa0fb77d8a6a16bdc15e147fcb54f14

SHA512
3bdde9ec31a4ed2f9fe74fd494d4ef52df7b6ac3202bd607d7faccc11aa9925538ba62d2360d8a6a5938d4f549764eddd2ada1568baac3754c2fdd3e0a03d462

Download Submit
C:\Windows\SysWOW64\mfc140deu.dll.abc

Filesize
66KB

MD5
b70dc81ceeaeb169dbb2be3fa34e5b84

SHA1
1711c397703cc347e748c9db0ceca7dbda7788b7

SHA256
ea6567140547fa1bf38ce4c79d8820058844b2e8da6b58e296c78e1ff369d7ca

SHA512
287ba1c9fb3d787beb487a9a333075c08412fe6d5e669ed99856f09f4daa0cd374eeb69da502bc620cee8e7b3676956bd143a8741ed851c3def96a3dc7559314

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads