c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
Size

78KB
MD5

680be15792c2ec5fa445b7f7534905f0
SHA1

f13b0813b77ab1bb8f6d971369e3a258288a0d2f
SHA256

c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95
SHA512

8be067d72c9f0778ef52f6b34bb7bd171af6996318de93bb6d7edd62e6e0becf9775c3d2556fabcab47cb508e22d85178c9ff82b57e6739946dfddb2b1339682
SSDEEP

1536:W7ZppApBULcfpHLcfpX2/Nw/NwmxrLX6HuH9uH8:6pWpBwchcV2WxrL+uduc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5037) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Sockets.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\ClearMeasure.snd.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Expressions.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe

C:\Users\Admin\AppData\Local\Temp\c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe
"C:\Users\Admin\AppData\Local\Temp\c1f7f04383ba8457337c5ff1d0d2c5df87fd5ff92dc8c4f8517d0bc1d8f61b95N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
78KB

MD5
e177db731eb1d0c2452c6d95c715f114

SHA1
3672061e2a3c1a361dd5282857f00989743c5eb1

SHA256
43c5938d66d7a992962cdf98f6eabb3a70b96feeb249fe09294ba5929ad4b608

SHA512
1e1cb53b88a616b1a157df33805444a8ca48c162713585f4f821808ab649ae52f92342ebccce5f88aecb202f35f8c0c92f70b883400e7d41967a38c04f609db6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
177KB

MD5
9a07a13d2f4a9c9742123422fd45d68d

SHA1
ec385a09dfb2dc9ba2ff2d3d91e4789533db661a

SHA256
2e861a8aefdd38b04a65aad7c6ffd23d7307f3934def336e875d690c74080ed0

SHA512
fd261af49ad3b1d09376a1b35e2324a4c89381f34f0b556c6cb4eacd359ce9fb71fae88e077d7a4d97dcb6d00e008957fbbea3e2453afb94d1b5364d847a1c78

Download Submit