f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
Size

53KB
MD5

70fbe683c5e7fac893426db08e47f000
SHA1

84c5f052b321b82e58c080d0def280c7fc7d5fff
SHA256

f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159
SHA512

f9d468bd936b7473e390a26d97c582f56383a755761a91cc3e160ccb1076414a1bd9a5eb8b35094bb4452a85b04466eaa6bc7feba00e318674c8a7f708b0a3c7
SSDEEP

768:W7BlphA7pARFbhL801VvM801Vvv7lSKSW7afHFCSW7afHFy:W7ZhA7pApw03vR03vxSKSWu0SWu8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4681) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\th.pak.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe

C:\Users\Admin\AppData\Local\Temp\f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe
"C:\Users\Admin\AppData\Local\Temp\f1c59859edd804b91248250309f6efbcbe539c636c68da47c5786fc67e3bb159N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
53KB

MD5
5c4944b6d67728bdb50813e1fff6c929

SHA1
ff94c8b12bec841aba8cbfce4ebcf962f78af72b

SHA256
0e41a8bf313e47560ded3ea3a20413cc52032349a4d79478767ace18614d488a

SHA512
9a75146f0e62d714ae9d50a855dc4189956699cca7339674ced0c21f1f41a8c3ed4d1953e1608c7f850d13f77a9c5525c4982c03fe248a3e3e36e4f8f6b33f00

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
51b7a73f1efb45fb9189db9142aa0082

SHA1
5fc5a1d7fc8e3b4c13aaea0280a38fc22e7173b0

SHA256
f010d96a93bbcaeb9db78432ce137691c6e3eb287f1611099f02c85243679a9a

SHA512
e1e62932d60c9982f721bf796f19d71040b538d4349ecafb3146ac7ed0462eee270fa8dc6f340e499c35cf82c1593ded2141dd35e652e5e959ba1f3d41a35e7a

Download Submit