602faef128ddafc5855570417b1415b4a48e8b27ec68856b29588d3f14abb1ed

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3a5b92eb73d8185bd78c4b37815e830N.exe
Size

51KB
MD5

c3a5b92eb73d8185bd78c4b37815e830
SHA1

cfaea9823269e681fb98165062f9d23a59faa097
SHA256

602faef128ddafc5855570417b1415b4a48e8b27ec68856b29588d3f14abb1ed
SHA512

5936034fd8aa6365562c5b6513b5a185160736b3ac9c548e61bd34f13f5b31ac1f4a4613bcc5835a679a4cb8c2f6abd3f0a1830657cdc75fb832e64ede07d680
SSDEEP

384:GBt7Br5xjL9A7AgA71FbhvnIH2YsTKnKqtaW3WaEdW3WHY3SjSHaA:W7BlphA7pARFbhvOsTKnKqtkYi+HaA

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Threading.AccessControl.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp	c3a5b92eb73d8185bd78c4b37815e830N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3a5b92eb73d8185bd78c4b37815e830N.exe

C:\Users\Admin\AppData\Local\Temp\c3a5b92eb73d8185bd78c4b37815e830N.exe
"C:\Users\Admin\AppData\Local\Temp\c3a5b92eb73d8185bd78c4b37815e830N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
51KB

MD5
b187031ba6885a37cc3fbc37ef781766

SHA1
a834394a07995f717bd87e78a0733274171d9081

SHA256
38877c24c35dbe8b9b8c508539026c3d923c0d518566f230e7f77ae962f04db1

SHA512
6b37e78d9d9e4f42dc1d514a09bdd11a8c76f60f214924d7592fe7aa952008221fb3ebe12b362563244a122490f09299c4878662eb0f7fe0da0840b3f17aad08

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
ca0672198421b6f19b4997d7b79ff387

SHA1
27ef6cc52cf3efdd0eeb2047e2041e49b0dd4995

SHA256
f97f6519c338037c8dcca939212d787a1fb65a4f8a4b164f800716f5ad130f68

SHA512
a4dcb2e61dc1b70523b4ce034a5013aca8116cea6ed831787ab8ed16aa2c6e0993caf8618d5de5b4edd737d192fd88c4782c057f902b05ae8c61be43bdf74d5f

Download Submit