dd114347eb93ea5b1ce9885f7f3cd0974474805c6c1f0bd3f560d1341044bd51

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/09/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
Size

35KB
MD5

fcc7bb1176b4f38bf3bf25c0e54793a0
SHA1

c011ea3c142bd0dd6ad9bfbb9c0ab987dc07d7d0
SHA256

dd114347eb93ea5b1ce9885f7f3cd0974474805c6c1f0bd3f560d1341044bd51
SHA512

71568422e7fb1330dfc47237e09029c669e6a2618e4721fb12b49342c0f70684cd125c432932ee2dea467fb7ffd37227c81d4a6256eb73a2b0253e5e69813cb8
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhv3KueKudLl++Ko:W7BlpppARFbhjbhPKueKudLw1o

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4657) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcc7bb1176b4f38bf3bf25c0e54793a0N.exe

C:\Users\Admin\AppData\Local\Temp\fcc7bb1176b4f38bf3bf25c0e54793a0N.exe
"C:\Users\Admin\AppData\Local\Temp\fcc7bb1176b4f38bf3bf25c0e54793a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
35KB

MD5
afd4b83d445cb987ddd680f28ce42644

SHA1
29baa31e332a7573bb7366145e37b4c93ba59ef4

SHA256
8f4ff0938cdd633cfe8bb883f98fae792c881b53edd968a09799d6c9b9f7daa1

SHA512
f013059e6b2425787db29d939210a667b92ff3bec57151142650d09fc621ecadaab8aaac093ae98f3e6bee0bfd1eb977259440a337306af222d507fc4a694414

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
134KB

MD5
38eac4ef1ceb376e771d710ddacbe60f

SHA1
5f8bf58f58c011316c824e4d753c3e72badb41f7

SHA256
f28efd890be19e53629781396a56f98bf7cf1557dc873b0c9779c66e4345b407

SHA512
fccba475705bd8fa9c42eb418f831ec9ac372e30817c6b5e1841df37acdd5646421e5bb2bbd2deb44aac1acab01b255d7bba170edbe40b330357f850fe6295cd

Download Submit