96174f7fc5959a824965a8cb8c11b3f6577bcaef8501a9df5f20e031259a6ad8

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f6463ce49cbfcd2270a6fb7ca72af80N.exe
Size

50KB
MD5

1f6463ce49cbfcd2270a6fb7ca72af80
SHA1

03aaeb0a5d85c56d02813572a4018376e7e44257
SHA256

96174f7fc5959a824965a8cb8c11b3f6577bcaef8501a9df5f20e031259a6ad8
SHA512

7cb402dd4f4cd975c68a73660cc6756d5cadc346c31f663af603d8b1a671ed8213fa4170224b8fdbfde06b76161c623ce987cbb563d9e8578b357c6d7245a4fd
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3h+fZmrs71I8fZmrs71IUoV0K0G06:W7Blp9pARFbhCRYstRYsyV0Hj6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4679) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f6463ce49cbfcd2270a6fb7ca72af80N.exe

C:\Users\Admin\AppData\Local\Temp\1f6463ce49cbfcd2270a6fb7ca72af80N.exe
"C:\Users\Admin\AppData\Local\Temp\1f6463ce49cbfcd2270a6fb7ca72af80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
50KB

MD5
ccce090249ffe5c878ac9c45c5432303

SHA1
993332ac91d4e3e23cb7434f77d8fe7b132dd8e6

SHA256
11b6ea71e48ab18a7db4b61c97e7eb271070dab67afc4a9e16e554a9f07ce980

SHA512
5e2c6b1375d381feb221500909d7d3ce43e209d5850442d20aceef13d5cd400a625d6940805d54189e0df6c899687248285e3b1ef792196d5a6bdfaf19552c5d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
e438bd25df30174a72eaced8e0a01201

SHA1
da1101692917020d548496310c6e4540dec5d411

SHA256
a196741aea5646e1577ae9b199b1820c41893e6eaad0ca559159e16273d056b5

SHA512
d985149ae463ba6c478930f939e04212f63a3eed466304ba3fce97c365f824ad2f49ed13441159b9f22993cf71aef795032b9d0b6815569787a993a339bff898

Download Submit