8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
Size

56KB
MD5

87d6be3c4942f9ea15f49fa95b3b5a30
SHA1

9b769ef5d5ea813039e5812df1b4833078e25522
SHA256

8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9
SHA512

5e4095d1d2baa858a4991fc17cb0b5c2895f1ba6bdbe71842269ee34703ce22cbb117a472f1cb9c281ca7a4a5f1a65768a9cbc361c0bf553b85c761e7d36ff61
SSDEEP

1536:/7ZQpAp18888888888888888888888888888888888888888888888888888888F:9QWp188888888888888888888888888w

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4677) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l2-1-0.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ipcsecproc.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sl.pak.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-TW.pak.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\MergePublish.mpg.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Design.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe

C:\Users\Admin\AppData\Local\Temp\8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe
"C:\Users\Admin\AppData\Local\Temp\8f1e1cef63d3e00a37e1250ca299d184c7a9235c8ebbee43813983c509e185e9N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
56KB

MD5
4125da00812fa9d809936834db9d6ded

SHA1
535d672847b8febdf5eb786d3f9f3a8040417e55

SHA256
764fe2ca7115e48fb030f082ed95aedb0f1e8ea95e2a121c146d97666ddb5f98

SHA512
a9f4c7966dbe03fc6d9a4d2178acf87b1fa670900f4f8c09165ab47559ba2ea1da8a2fec7fa7d4343926721d73756bf364259b7c989080c765c9fe567665eee4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
999f3c6888321033b9c5787c03025436

SHA1
f4dc8f2646000c171cd062604dd17b4eb37db534

SHA256
4dd651334a7cbd49def38c4440ee07983ea2ef475b65c78b087af5edf2167eda

SHA512
ce21076969d5db3e0fa6d8f34cce72f4a34adec217ea175c2f2c964adc78cd83729447590128c4da1648be07a12bb145c18580c7298b9c9483c3b56c4d7f7150

Download Submit
memory/960-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/960-1050-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download