926e5a0c629899225113fe3f481743fd3abf224184b83e9f7fedcc3014013485

Analysis

max time kernel
120s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4c0b74aa5ab654b3472615de5df1d10N.exe
Size

46KB
MD5

f4c0b74aa5ab654b3472615de5df1d10
SHA1

b43ac39c816b2ca56608824daadb6a212ac5b2f0
SHA256

926e5a0c629899225113fe3f481743fd3abf224184b83e9f7fedcc3014013485
SHA512

98bf5affacae8a2b8d8a4eec679d54baa35f73105cf23541aec7c9287cd3f41d3490ea30a0a9da575fc2083c08c4628303b34dd019f169ffe8d1f2f80454067e
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1FfcfX:W7ZppApBULcfpHLcfpSo3fXfcfX

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4670) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClientSideProviders.resources.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vulkan-1.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp	f4c0b74aa5ab654b3472615de5df1d10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4c0b74aa5ab654b3472615de5df1d10N.exe

C:\Users\Admin\AppData\Local\Temp\f4c0b74aa5ab654b3472615de5df1d10N.exe
"C:\Users\Admin\AppData\Local\Temp\f4c0b74aa5ab654b3472615de5df1d10N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
47KB

MD5
f574f3673f2cdb8bd99c69012612b4f1

SHA1
a4206515727590f94646f2b656020d24597d673d

SHA256
6581083fe876495d5d498dbfd834cf6b079042434a96110b6c3fe01654a1a253

SHA512
5f91379798dc9a706ffc6787a2b68905ee4bc912bc301f839506e209fd701ec492c7842b7f301ee780b37976998ef82bd85cbed4a6c4d4488516f3efd1e6c2a9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
9ca1fa4acfebdaea528219d19a014e31

SHA1
f162c772d30cfce58337872c2c6db6f92f47278e

SHA256
e5fba48282f42fe1eaa39fe80ff51add1c4fc581501b327ff32aba304ca08cb5

SHA512
b6fdfcc74f4934d58da059e8042d775f4287f7a712f8aa87517a7ee3066b3160de7d7a5b5b4465a460bb88478e5db2d675664ecd4e1bf6d01013149de511a817

Download Submit