2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
Size

51KB
MD5

44a81b290f382e88d70019267fc7e1b9
SHA1

16435cef73757f44afd4101592093fbeb8b19612
SHA256

2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd
SHA512

c106cac268de4cd78d4166506184e951a89803876be6ec6d31114f8d40af997c3adf6f96c0ab5a68f4b0281455c5d42f1fd83e2aea4d1422eb3590057acc82bb
SSDEEP

384:yBs7Br5xjL8AgA71Fbhva4S04Shk5c5iZGb8:/7BlpQpARFbhS101hk5c5iZGb8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5260) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFSHARED.DLL.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\PRISTINA.TTF.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\EEINTL.DLL.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALAB.TTF.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.tmp	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe

C:\Users\Admin\AppData\Local\Temp\2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe
"C:\Users\Admin\AppData\Local\Temp\2fc027e06833c7760629d9b08753df792b99080a0d4f6e2dd9afb53063f983fd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
51KB

MD5
e7b2eef71e1cd6ac3f6340ac8dc00b4e

SHA1
30652b9e22a8f768dfca6327cc287ecd76c89804

SHA256
78da80dc723f0920f4b6ecaec4acb21d133505c5a7cbf6addd9e1cbcc65a58af

SHA512
1a449a142b76715f5e13a8383bdfb17790933660bbc6c87fb6c368fda154e294b96195a792b004d3cb7f4256a512affa5f7da647bd04ed885deb062ceb6b8b85

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
66b9f108bdd05ea193be574098e98607

SHA1
bb68d5c4bee4609891df4b5653e887429b30e331

SHA256
82459153b2a616f7fb3ab94fd67faf2816990d882329681b12f21d543ae662ab

SHA512
662d8d3ff02d619e85c60ec78eee1775b99f41b9f74682239fa5eab7781ad5d506e699c318a6f19caadd7c7fc965f5c8ab72a0ee9663e5a4f2e0869aee7c8f7c

Download Submit
memory/4232-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4232-902-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download