f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228

Analysis

max time kernel
120s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
Size

43KB
MD5

4d3e8433ff56edab24771855cbfe8390
SHA1

cf8b092340bd111e6280e7d065e4b4c82beee3dd
SHA256

f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228
SHA512

802dae520e6f37b416535afa69710ae1262c6d229c46af27d7919620182e3970f61a1bfaaf0ebaa60a446d1c5d1af9758adc4240b2efe8b2643419fbc3d9a237
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1ngigh:W7ZppApBULcfpHLcfpSo3f2xh

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4670) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe

C:\Users\Admin\AppData\Local\Temp\f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe
"C:\Users\Admin\AppData\Local\Temp\f01c937e638244164fbdb5345cd764fa71f2175b96d6ac880a60ab1bfdb96228N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
43KB

MD5
5cc80a3943184199bb237b7a669e31a8

SHA1
132d1dfd5045fb2257870dfb4aa5636f478a6d5e

SHA256
aed5250d618a168e86f2a27c22d0e530951ae832e16fabea09faa601f193beeb

SHA512
1fbadcf6ae3ba8721b1b5c0f26d501c12da91f4dd0dd5accca19ffad4d07d6caa10dc33cee5962fa31a0cde59e29b814462f93040466a0634e6c67244d90ff95

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
fcf4103ceb09c5d2f1d011b66f047f76

SHA1
0b6ddc1f9d90fdcaa92efa042a9fec90b515e807

SHA256
449d255b92410077687d5ec683b50377c47d454667bb2b3b7db67b5ea6633fce

SHA512
77ed6925f0bf3b3c3574b56eb6580feed7cd592cda77980e85c4e27b69a2eb6259fd5a60424fe1dc983e5640c94a8700aea2a2dd3ba6aef7d438eb80ca8f45ae

Download Submit