aa4ca354d648045890cf4e10bfdb9e672689fba75b25d92de119e0efde090de5

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 13:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fcf8b58b14bd963668dc74b7f24f3060N.exe
Size

56KB
MD5

fcf8b58b14bd963668dc74b7f24f3060
SHA1

53a4504ca453cf4396358583e488e5e5a5c2d5c6
SHA256

aa4ca354d648045890cf4e10bfdb9e672689fba75b25d92de119e0efde090de5
SHA512

e599cd2d2965db6f7d86e6d4bf4e98f902d92597547bee49ceb1f370563f5848ed5b906b9e9f26cd648c0712db7c2794d76d30baa9d12d407cb217fcd085ff07
SSDEEP

768:W7BlpppARFbhbt7Y7wTCnBv0PcR0PcljybCPi1x+jybCPi1xM:W7ZppApCJRJlBaqBaQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Queryable.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp	fcf8b58b14bd963668dc74b7f24f3060N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcf8b58b14bd963668dc74b7f24f3060N.exe

C:\Users\Admin\AppData\Local\Temp\fcf8b58b14bd963668dc74b7f24f3060N.exe
"C:\Users\Admin\AppData\Local\Temp\fcf8b58b14bd963668dc74b7f24f3060N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
56KB

MD5
f2089e2e4e402dfb9922af6e326c971b

SHA1
51a7152bc969ff304c2092220d17e66d626f4e2b

SHA256
1e8a6aa9f34fd9327c5c1906f1750fe6c6b9aa958c2c2a85201c64a1f5027e8a

SHA512
de5ba06bd51cdb5544026171e68f45650fe2b3449c676bff44e626c377034f76d5f2b636e4266e8ed3ea7dda452813d5b1da5c78309f5b4af2326c694d482b3a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
786655b06f412a206a22b24baa8c5582

SHA1
8821be4753a2d5c4dc00401cd1e3a40f499cdff3

SHA256
099d8b96063f8d49e4f04971805a6c93980a19700db6911fca8feaa5c7d26939

SHA512
fa2e3cb313916d36c2b695393dbb57cfeed0c4ddf2e4e09940b0631071783c53f073b6e4adf8e081369b7476c6c012938994919c06a78102e3504138c6f4231e

Download Submit