1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
Size

98KB
MD5

505f29dc70e14f71b90b35b7f1894b80
SHA1

9b742470200413dfcb5cf9796265a315ffb2c4de
SHA256

1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb
SHA512

f24df27e8b826a5ac68c97e8298785e03ee50632d67b772aa5f069102a68d0a716a0e4dedf254ab0bdf89b336fa92dead10d5f92284b569303c2db89f835294c
SSDEEP

3072:6e7WpMaxeb0CYJ97lEYNR73e+eN7HlulD:RqKvb0CYJ973e+eN7HAh

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5056) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.resources.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe

C:\Users\Admin\AppData\Local\Temp\1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe
"C:\Users\Admin\AppData\Local\Temp\1c63eaf9d4293a3389862a450e455e7f9d1abea7a5863e1ad5b92ee1871be6cb.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
98KB

MD5
a478928afaffd2a7d601e29f8d0759a5

SHA1
8a8afd167124099e327e21fdb6aa27e7db9cae9b

SHA256
e3e569345be2fbf844f7ba5b0666c936b1655d661d2fe45b20295a71e9ef6a00

SHA512
3b9412a7675d9561b03559a60c809bef7f839ca5a298cbfdf6141497444cc4e1287968b78ffc9980122db0cf8ed211b4e78dc6dcecf36fb405aef4348b0777d6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
197KB

MD5
2ac61ce44de364f60887299b1296f52d

SHA1
8baf3af4dea561cfcbd8b33288b59be06c313a5d

SHA256
97d031d2fe0b0ef012f7f71b30a59dbde5ecda319c1d3daf4060c57c9fad6996

SHA512
26cf5702c66899b00e4d5f727bda64a77d8fb0ddf3d569e118c5a32bf8ec3469bca3b307892c614c6ebf991719686e8dce21c984afadd74faec9456f0ce49455

Download Submit