f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 11:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
Size

46KB
MD5

3a753a1682d024df413901beab777e71
SHA1

950c90d47133019696c820a5f50b5c7b1f577220
SHA256

f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc
SHA512

2562dee87c1af15800b8428a35fc5c90dfad713a93d833f2d64d85ee42914bf76a647b6fb1aef30d6158171069925e832334cef66a5b6111f0751156de63eaa0
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpW/gtbW:W7ZppApBULcfpHLcfpdtq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ro.pak.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFRHD.DLL.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.DiagnosticSource.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-private-l1-1-0.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe

C:\Users\Admin\AppData\Local\Temp\f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe
"C:\Users\Admin\AppData\Local\Temp\f53f6162899bee376f9f6f88f985cdf18da811f880349ddc2fd6c5ed181b75bc.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
47KB

MD5
c8a1a6f4b7b7fc4d7b533a0fa64233b3

SHA1
7b2f9aa78ff9af3f9803ca8232a6238f42fdb250

SHA256
42e7a6eec7f07d2e169d3ad14ac8eb649676cde1a2871aea3118202c42ba67bd

SHA512
6b3a5ca619ceec8581b2932d92d5341222776f687ee9b68909e0360b72f5cca31125d8cf906053d773aafce392981f1b0384760aa25c89e88c6532fd3e47f857

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
c2eff7bd57c443ca788e792b594e01ce

SHA1
a170ef2d820d8bd74ea6876e025a06176236632f

SHA256
bc02e74e805a94dcc25df109554cf7318c9ef552560b9c95e7e9c1a6fdc9dd39

SHA512
97028264e01d8b992640854ddcd97c9310b6acc65c29f73196fbf351af885cd20d98bbf2968e243a984e483e7ae819ec0fc8412dd650719969289c20852ff63c

Download Submit