f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
Size

90KB
MD5

b3756a1b35e2f38aa279ae23a1ebeaff
SHA1

c0565e1575b2bffeb7fbe2e686e95932d6ad281b
SHA256

f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7
SHA512

fbb62900c84f4719b9e34f121664565a2990540ec78341e21d7440fba5a4e95d39065e5e105ed91aaea791b69b58bdd5f7021dc7c0aac1c6577f4587d70e19bd
SSDEEP

1536:/7ZQpApze+eJfFpsJOfFpsJ5DQ4PN54PNH:9QWpze+eJfFpsJOfFpsJ5D7Wl

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5013) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONWordAddin.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officestoragehost.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe

C:\Users\Admin\AppData\Local\Temp\f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe
"C:\Users\Admin\AppData\Local\Temp\f1e2d0ba561240a3dfc311eaeca93fa16940fbd3a8f52205dd3576707bf5bee7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
90KB

MD5
c2fb20070ad4a0337ba67ad634e68369

SHA1
ee3ee40201bd658ff23637b42830178757b93141

SHA256
d4a69606255d9868f2f7085f0015286a4aa0c22544e36ffcac9861d089707aa9

SHA512
a88cf67ee84d9ac4301bd448be6d1f51b02700b9c2da4db80e00bfac62b15abdf14afa9521ec3a8d11affea315f66651a4481d0a51033a894e8fae4c1b57b4c8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
189KB

MD5
91432e5aed98bcd324683bc605991143

SHA1
687158da7e6e6624c2dfba2544043324d7a78954

SHA256
b0485b8f9cde44e50685b373a702b4cee96c98542c6fd18f835fc0bd4b71370f

SHA512
314773af903b49a17341fb697f06b9b0e37ca3105b27289452635b4c3c405823ec53ce2539dd2b0f2a0ff25457992ffc4d316bc469d9b9d4e8b9a07cfbbc274a

Download Submit
memory/2892-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2892-852-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download