d6cf90fee8ea7164f68a4c7ac2f2e4f7729fdc2fb19627cea65b5474eb223ed3

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f686b59f7f8d5481b2bbdca6e66c2760N.exe
Size

41KB
MD5

f686b59f7f8d5481b2bbdca6e66c2760
SHA1

8bfb62b08e1a49a15914beb37c7d59b69f846e9f
SHA256

d6cf90fee8ea7164f68a4c7ac2f2e4f7729fdc2fb19627cea65b5474eb223ed3
SHA512

42904188d97df23a15399e453ddccddbcb5fc33fe8dba78a37ecb5981fa9fa5a21be1d62f9c4410e49f4b9914e92a492a8046242ec3e4c267b5ff56b96cd545c
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhvo42L5FgAytBpR42L5FgAytBpW/H:W7BlpppARFbhjbhg42LcfpR42LcfpW/H

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_elf.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Java\jre-1.8\bin\net.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansRegular.ttf.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bn.pak.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\MergeEnter.jpe.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	f686b59f7f8d5481b2bbdca6e66c2760N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f686b59f7f8d5481b2bbdca6e66c2760N.exe

C:\Users\Admin\AppData\Local\Temp\f686b59f7f8d5481b2bbdca6e66c2760N.exe
"C:\Users\Admin\AppData\Local\Temp\f686b59f7f8d5481b2bbdca6e66c2760N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
41KB

MD5
bde5732eaacd4fd694ee7a27bd522c37

SHA1
3d463006d6ebe6a8189af6fc8e5b9acff31cfbc3

SHA256
b89c9f5b8e5664b9b94df29dee0d1a53660e034d1ecbbf2d655bbe6c5ecd1add

SHA512
ac0229621974ce8d3f996b541fe4960889ecb93cecbfacea64b1c39a049ba4cd802af3aa0b70badc2fb83b4b4949ee738e37482674eea2cbecf4ab77ca65fc5e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
158e9a6beb59cf350755f0989fab1bcc

SHA1
84d1fe59f6fb413f0c6a0d6d9dd79c6e7022671d

SHA256
dc158feb59445da0f467ba6283f58718923a27ddef75147be4b5af22422faaf6

SHA512
04a6b77e4a6ba233411c73c0b02b2a26b7ac32661076556f95ec2612e6865577d4d291cb46360e995a606f792bb2c66a2972b3578fbcf02ef5dbfa500d5857fe

Download Submit