16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e

Analysis

max time kernel
150s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
Size

80KB
MD5

00370ef3a3485df1e0a9489024d1ca51
SHA1

175cc30f352b381918bd1a54c52a714e2dfedcbe
SHA256

16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e
SHA512

4dfe7a8cd6dc3aea7f56c48ac8fc8dda41a83de32b88b255382b3e640108c6f18df09f244b5b259d33230ada3dbf5bc85a727c1d501621f31229261872ac7d92
SSDEEP

1536:W7Z+pApfGQ3y3RWvfmRfm9sKsSd5gYTUykUyN:6+WpDfmRfmhek6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4632) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.Primitives.resources.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\INTLDATE.DLL.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\ms.pak.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe

C:\Users\Admin\AppData\Local\Temp\16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe
"C:\Users\Admin\AppData\Local\Temp\16ed6c10348127d373cd7f3e14c1c72d23287ec0d4cd3bee2edfd3df9af4685e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini.tmp

Filesize
81KB

MD5
dced34bcce32335b0c8b3a9a44f6aeb4

SHA1
e47e7c60c06882c4b01dc7d0f9c5a7cfcf7e78de

SHA256
224a867cc3ae1fb43790d7d9cd237e37583c4ff6c0236d7ab50f10e592c97d84

SHA512
40915a1973d07f95b20c1ac6b71f35563bc9831ca61323a1e2d8cb039deffc3285c25216110ce8b5cf377bde9734893481a76dac5e90369aec9c242d269c47cd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
179KB

MD5
31c44e9e755192c46b9c21fc3416ed85

SHA1
bc63a9fb6505cb2bad74738bb6d066d5c93b6c30

SHA256
bb1683788c6bf7abfc80a2d0457500ba29214392bf4a083b7b213dba258f527b

SHA512
cbb2d9465278ff32d35e7c30dc9816a5020d88fd3b3dc9941c83b81b5a44da35e817772c86e90b45e5e7c6ef063ddaced9ab1391cb1cea5e35b5e2b18799a6d6

Download Submit