fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
Size

45KB
MD5

f26ec920df9a4a153fc83a7bcbf8ce94
SHA1

e38f86de5b38201ba0eeeeed9a6126acc0187057
SHA256

fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917
SHA512

3fc541acc70775bf5b0e345ec8bdb9e747463bd0d686ebab10febcc097c91b78b5b69b44ccacfd2ba3ccfce7949d580a67753dccb1ed0f00f1880b65efe1267b
SSDEEP

768:/7BlpQpARFbhNIYYp+BSBmBCUK9+BSBmBCUKbWk:/7ZQpAp/MkPMkK

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.White.png.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYM.TTF.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\LICENSE.txt.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WordCombinedFloatieModel.bin.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe

C:\Users\Admin\AppData\Local\Temp\fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe
"C:\Users\Admin\AppData\Local\Temp\fdb7cb57dd0d40dbf4ee2188e78b104fa77ce8c950777c4dd092f27706554917.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
46KB

MD5
4dd73db2bdae5f38339d0446f111cff4

SHA1
03f4123fbe9dea0ce3fbfa29b6750ebc73545a66

SHA256
8a8f3c9d9099987a11acee1b3e3058c66f16f0f390e141f16b8f2b4d95cb569c

SHA512
cb2c5e7f628235b1a0bcdd55c700e75d26dd15b5584431cf00c0f22d1d890c92a5338719a797c0d530c96f626e44fa8a6bd6a1715d88cce6b4b111624f0962a1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
b442eb46d6a35b9b7d884dab47230736

SHA1
9303b57f39aee63479f24786c4068a43b474dfbe

SHA256
70345d6fced66a61ab8f0565fdf518ffce8b88cb4951cfbad5964d041f823499

SHA512
fb37649fb52f843645567e42742bac667ef07b32042a21035267380c8a700bf4508c9677d4a9fb3426e0f447dccb884b46872c9e4ded3a765182c5eea34b0faf

Download Submit
memory/3168-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3168-860-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download