f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555a

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 17:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
Size

110KB
MD5

6b98b84d2d2a8c4b38d6a195bef85cc0
SHA1

ffaaa3627bfa14f94210075a464c64daf5e87329
SHA256

f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555a
SHA512

7ba6636e85e66da2842dec5c2dec352bf49d0da64585620cb22432aeb336c678461085de85a21e8dffaee69ee490721776421d32e4dd91bc9aa1a3b1418be15f
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyB8:PqFF2Ie+efsim2QA

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4314) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\eventlog_provider.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe

C:\Users\Admin\AppData\Local\Temp\f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe
"C:\Users\Admin\AppData\Local\Temp\f80dd0ae38cc214406674b0b40674e85c78aae3357040d45721e756718d2555aN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
110KB

MD5
5f970db19a8a982a27b96c5f3c667622

SHA1
30fff433d17737e506c7d0ba8ae4bf85a3165849

SHA256
148884267139ff98a9c55eb5521d210c297e51bfcc952642a83ef9f46b1473d7

SHA512
328026bdc45062f2dec60d82dcae0808ebcf61c0d58f1d5b65eb9ff15c6d12e8a0cb9892ec0b70a23c5a2353ecda4acba71c600a048105b0362fddb6ad2f536a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
209KB

MD5
864cbef73710b5bfaff56b33bb189a25

SHA1
f6537f8ddf690be9ed867c3143c21e83e573c989

SHA256
fc8826e762d3917c8f289b5388a8e5fd23e521f47ac80dec8b6fc22d58e55521

SHA512
3c6506c9949be05b23842a5075425a447eeef486d1d5accc0fe75f2591471a741a83333e3f4d8e8802da0b07cf18b20b84ce66e57f7dfdd11f41181067a28e43

Download Submit