f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814f

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
Size

46KB
MD5

f86cd6f31bf7dd6e16033f9e1a401d20
SHA1

d8e994b57adccc29fd6c28ab87bedee0e1b8c0af
SHA256

f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814f
SHA512

05087626b2f441b0dedfd8e761583ac4e2decb6a707ccca1f67675dc7862ca6976ceb8f359b7659bee19f71d749d3884c667044afc094a1fdbfdfea7eebec41d
SSDEEP

384:yBs7Br5xjL8AgA71FbhvBfepj3cfepj3KtLJilqGelqG4K66CPK66CuJ:/7BlpQpARFbhq1KtGFGxNCSNCo

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4643) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jpeg.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\shaded.dotx.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\msipc.dll.mui.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe

C:\Users\Admin\AppData\Local\Temp\f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe
"C:\Users\Admin\AppData\Local\Temp\f7e90c1759ab55a647dbff02d069cffe9067ee02190825a0d77aed8f9c6a814fN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
46KB

MD5
8cacc5bfa4625b669471722373866bdb

SHA1
1bfdb6aed95269682406128734e60949b8e2bed5

SHA256
e7004a71b4b19d8a740199b30c36b4082fdf89387f2d6dbd8be74d797e8a2731

SHA512
eb1be8617fd1de97c7ba0168182c23329cf257ef9119c296fb29f44257855417bafc8c4476ccd74f40ae0a9bb2e7055e3488caf46f9c88cd1949e2aeadbf5c12

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
ad01980fe6249190b5960415e9820ab4

SHA1
ac76cb13ea9d93e060abab9727709b5ce5bc0ffd

SHA256
730611ba3fbce1c34a63bf98e37e8d009cf15ae7d7b35b18d93145906a6e24e6

SHA512
1a300b5a9ff5cf09bce1517154c23b32bf3bdb22d617de76a1a3edef19bafbf99d2dce398dbf7106f6ebc44afbafa1bbb77a2af2bea97a3e2f467b2b6d55c2c8

Download Submit
memory/4976-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4976-914-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download