d50f1d87c15478c4086ddaea93f2cfb288be2030d0a8c4a1b8a58c8d4acf8820

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe51ca70dfc0db1f486e9de94a2bb490N.exe
Size

43KB
MD5

fe51ca70dfc0db1f486e9de94a2bb490
SHA1

2f1ad7cba515b2eacbf4cc34cd4a2b8dccee0830
SHA256

d50f1d87c15478c4086ddaea93f2cfb288be2030d0a8c4a1b8a58c8d4acf8820
SHA512

dc874f113fc5f052357bf98d56be4970f58c8bb4f657d4610129407f462acee31674d5a3d37f77b41da2498cff17d1359db42e84867dc428f7636a0633f8f706
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LORWAnWAkpUE5c5gSC:W7ZhA7pApM21LOA1LOrtkpt6q

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.tmp	fe51ca70dfc0db1f486e9de94a2bb490N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe51ca70dfc0db1f486e9de94a2bb490N.exe

C:\Users\Admin\AppData\Local\Temp\fe51ca70dfc0db1f486e9de94a2bb490N.exe
"C:\Users\Admin\AppData\Local\Temp\fe51ca70dfc0db1f486e9de94a2bb490N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
44KB

MD5
a2978ae0493055144ce57f234bb2e0a3

SHA1
c18eb1f22e408e9cb91a0ea047b281e5ce0a85ad

SHA256
e5013b0f1a9ea3685f0a408bc2bc9c0250c4dd05ebe08f03c788cee53a4f0306

SHA512
221d428a925921d5d8038e09d0942298e5c69baad6a5ad3a6dcffd65863b1d82f7cf0604798ef3f3fc095215b2462ac207b9933610f8d07816d568d5e565ebb0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
143KB

MD5
b2860681bc90f30314e08446810b8249

SHA1
87fef87b75fdccb5ab2b0b9bdc99a8164fca4118

SHA256
328181d853313e26a3674668ba6bc2aca006989b92b0a6c9a7603162f96b3749

SHA512
c8dd047e56a724a447dd33306d52ad874f06d37bb1d1c3e9c86761ea8184ff8bebec00fa7477496862f3e7f54ad5e7a2b89b29ad08eed139abb042f205f45145

Download Submit