Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 05:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe
Resource
win7-20240705-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe
-
Size
86KB
-
MD5
a2d2868bf54d1fc1606c9cbbcc4fea1a
-
SHA1
5778e09f08c641e8bdd4017929d0822980dd5e4a
-
SHA256
ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05
-
SHA512
cde0c23c412d87585f9c56e57ae3c213b274df6f0ae9269310d6df8a8e4370a2af9bad3c8d478954b7be72cfabf9f26a212bebd9851bde261dc172fab0d85dce
-
SSDEEP
1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+eTdsdYSW5:6e7WpMaxeb0CYJ97lEYNR73e+eBSW5
Score
9/10
Malware Config
Signatures
-
Renames multiple (5021) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\da.pak.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Input.Manipulations.resources.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\pl.pak.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.106\default_apps\external_extensions.json.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe"C:\Users\Admin\AppData\Local\Temp\ce59a125be5abdd6c5885303fdbcb37f52b883aeea519f603b6540c5ff7c4c05.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD5118337af6b341747d0fd92c9a8c25b60
SHA1cb423aca42d77ce27e9a4fdeb171b06c13a558fc
SHA2562d76d4172f2aecafb1c674b44647938f0ff8207204034078af563b2a7a03c468
SHA5121a24b3dfcf453e2f6359e14fd971088b3fc6185a07770fde32a6c01dd81bfd1b9052a5a11b6cb05dd7d1ce8500ecb2b2aa59ca6d539427288338333636542e22
-
Filesize
185KB
MD5e2cf353aaa9c5c799bee1245887f7f0d
SHA1114079f76206afbe7f553c8b5a3210ff9fb1c397
SHA256f646f184e027d800e541671eab0410650d7587d2b57db0653db49bf8920ff5e1
SHA512f89acc86835b2e8bd686dbfa313b27090554ad74d3b1b83b82972bdae186f5d081be5098151e26319f78b4b4dc1875523e247d4fa4f677187132cdf36166a157