f474a27bd73630d920aee25d3abbde244560ceb2c9c8879f53c11e5ee8e76e8c

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff828f1190c0d7551a3db68cf94cb470N.exe
Size

47KB
MD5

ff828f1190c0d7551a3db68cf94cb470
SHA1

85ab6a0fd13d968a0c95c3a2afad0b1bd615f5df
SHA256

f474a27bd73630d920aee25d3abbde244560ceb2c9c8879f53c11e5ee8e76e8c
SHA512

ebf40249759a89a79f5569a74a5b76395dcf3f5eda131c30d94a55d1d5739f9f4a7ed10cd4403d714521fd4e9e62402b4da99c96cdfe49a11452fa815f2aa2b1
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFXpK5c5khwRDThwRDpcK:W7ZppApBULcfpHLcfpyDA6swXw1

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4639) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClientSideProviders.resources.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_core.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	ff828f1190c0d7551a3db68cf94cb470N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff828f1190c0d7551a3db68cf94cb470N.exe

C:\Users\Admin\AppData\Local\Temp\ff828f1190c0d7551a3db68cf94cb470N.exe
"C:\Users\Admin\AppData\Local\Temp\ff828f1190c0d7551a3db68cf94cb470N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
48KB

MD5
73c0c640c19f3015a3b2730758241568

SHA1
cba6d84e95843d9908296ae2de4039cb56b2321d

SHA256
4ed0fb428589a24171b5e1f2b76a097ab9d7466c1552c684fba4eef013b68168

SHA512
8e8699878dcc06696af361310a565d438f8e7651419b535148fc25e885ba916db8ef6aad19414691bab69efd2992dc9b1774437e2bc134d2fc771b39cf5e0a95

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
868d11d73cdd8000fb7ff982d167fe9e

SHA1
147e6cb22642b220d6ec650d4175b5f8c49f6178

SHA256
3b20644efc284909b837cabddb687a290461f90ff345b883c1bad5d40cc3a941

SHA512
df4db1457f34dd740ab99814fb1bf05dece5a699081bdd4654c51fa725e80ac4352d50adc16eac52e17d69de005a8458fcd41f1827c313990159ef475b13c299

Download Submit