1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864

Analysis

max time kernel
150s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
Size

47KB
MD5

f0f71d0f18a0fd53a6d9f159deda37ce
SHA1

23126e80c1d0c28d76172589f5d1133e6483867b
SHA256

1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864
SHA512

1ae31fe9b08ceeb7288d378e52d32b0536d7837733776b271f5a49359c2f2ba2076c60572b636a24d8aa5c74ef8ffe8d48bad82944081bd1fe0b23b6442a3256
SSDEEP

384:yBs7Br5xjL8AgA71FbhvhwMF1XxXEh+v8QrArn:/7BlpQpARFbhtF1XxXEhk8B

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsFormsIntegration.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Quic.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClient.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\InvokeGet.tiff.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp	1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe

C:\Users\Admin\AppData\Local\Temp\1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe
"C:\Users\Admin\AppData\Local\Temp\1c0ba2224832defb2e4d1cd2b47795a0602798d6950fc33d28e3f9469342c864.exe"
1⤵
- Drops file in Program Files directory
PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

Filesize
47KB

MD5
650c1e2cc6de8562c11787502a55536a

SHA1
f5cda1d9155bd5990af6638fbbe7837d3ca53785

SHA256
67ab93fabfdebcd59ce73526f93b83a272fda1c078bdfc912134eebcf16e2be3

SHA512
b39e88d8a0a18870a21d81f5cf281b457d700772cb9166ee17aecc618ade7f3548dfa62108f25ba946aa86fc672c87ec1f39795828d79335f09922fd619ebd18

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
e3104b8db42b86195e64a1ecba3abb20

SHA1
d3a7be78003a1193973baf19cc9be5c29518c39b

SHA256
c12e3933ffcf9ec4f5aa56084bd197d64ef0aa12a68b4632fca06d1837e7244b

SHA512
f17ec65401e56e8514578530dde9dce629d6fb312b99033295ee1e23702d57f3a816d89723693c404724fc1d1d39e79bba69a43cd0b3e4a4cc11465b82f18c8f

Download Submit
memory/2168-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2168-1984-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads