d1122a4a0abafad7aa81040d17f4d6f59c67d197833daca5f73aa6d66f2115fb

Analysis

max time kernel
119s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f6ea3b88d7fb38f9147d47eb28380630N.exe
Size

48KB
MD5

f6ea3b88d7fb38f9147d47eb28380630
SHA1

bd6af4049921d393a71b0cc242187599856c8fa4
SHA256

d1122a4a0abafad7aa81040d17f4d6f59c67d197833daca5f73aa6d66f2115fb
SHA512

6f7de1f898710f8ea80f83e17e8bb77af4b2dff4461dab34ae287bee539b4d31e712b7e0c39f21bebb26383ba44323ebd78d554d6742b2e51346ef9f86b2da72
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLmuH9uHVoX+OEiJfoX+OB:W7ZppApBULcfpHLcfpyD9uH9uH28mw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	f6ea3b88d7fb38f9147d47eb28380630N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6ea3b88d7fb38f9147d47eb28380630N.exe

C:\Users\Admin\AppData\Local\Temp\f6ea3b88d7fb38f9147d47eb28380630N.exe
"C:\Users\Admin\AppData\Local\Temp\f6ea3b88d7fb38f9147d47eb28380630N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
48KB

MD5
7a41c991b9f909d3601396d3eca7f114

SHA1
88a8de80716d3778ff8546e3d4810eb61bb13b30

SHA256
b06752542a1dc05d2999e77ca5d6bf00ed102055859e7ea38d9103bb51bbe57a

SHA512
5c17a0aa12ff53516d935ef610646739b1bf442c4c10709fb5930855096032b44b7200d00554cb078d7db28d0149fd5ca8fdfb38604c3e39e4cc481d1d0035ae

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
1b933373742057b93b1843e9e7a35a5d

SHA1
12a7f2eccba3806617a421bb8c610f278ad04003

SHA256
4042f1a8a7a64f6e95e315d4bc577deb9370da5bc2ecb57b6e7df15824c7579c

SHA512
166aec7457bcad27d725c9fbb8e0ea9e14fe5dbd84e5bf0a1d1e5ee6e89b22061738be61bb7017727e60e1ff9e2e3dcfbe354acef762005d5af765c5737d00ec

Download Submit