f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
Size

77KB
MD5

39c6be1529dbe2b1f05deb48777f934a
SHA1

8c6a33ed9d15b5c5af42fd15fd203af203ee8840
SHA256

f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914
SHA512

6a21d0b0ff9e6606df4832e8ae220e46d9f8171bfd6b2ba959cda4c72fe35b7f76c7e1ec14762329bd29944e1eea60c268d66388558bc73594a232184dbb266d
SSDEEP

1536:W7ZhA7pApvOsOKM4HBhaGwOQ54xEIjlHjrc:6e7WpRaSlj2

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5007) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\DebugTrace.DVR-MS.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe

C:\Users\Admin\AppData\Local\Temp\f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe
"C:\Users\Admin\AppData\Local\Temp\f67d0b532ad2b4ec7c87ffe9c695898b804a47981660459962748a7eeacd6914.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
78KB

MD5
43bd8a5afc55bc6a2bb9a12e0439541c

SHA1
438ad3458a8deb31927297bd229c4104243a2e2c

SHA256
9d967241a015f5aab252bdc11d3d629a996fef06e376a33ada72f0e02859d44d

SHA512
acdaa8fc7dca1bc4f0554176fb39f8098541e3ce97c1a4bef3b8771c16d70371ee6f4fa7de173dffc66cbf5955e825650eefb9d1c8c47376dc547f801227e78a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
176KB

MD5
3eda7255a4603deed5d74014d5eb487a

SHA1
d4142640c49a88a19764b180350c716d06176681

SHA256
cbaae5b6b7b0b0401dd9f04d33c0215d4bbfd250a4810ed05fc1131c1c64eb01

SHA512
9ce5e2032d7f8050fffbb4d0dd5a2e94fca13bed0ccd75ce54c192292b043ce1c02c6e7d2369b7d64a125813d25378d49a7ee11f1caba3d40208b779d64d8ebb

Download Submit