d92774040f02ebdf9da4da1d588af401bbd8eee487cf69d3f5b8d92a98b9909a

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca12cf5b352a0a770e4581117d2e55e0N.exe
Size

47KB
MD5

ca12cf5b352a0a770e4581117d2e55e0
SHA1

5fd5c7d3836480534eb641b93179f8d92fb9e0dd
SHA256

d92774040f02ebdf9da4da1d588af401bbd8eee487cf69d3f5b8d92a98b9909a
SHA512

606f70710e306375d8accd60129244ac550d33397fa91cf01a1f6630044fd42129337846964b76f71b5faeecf919adecfea42cfa322d17f8af1e93b857add693
SSDEEP

768:W7BlpppARFbhShZ/D5zf6ydyf+abMkF24kzK3jbrCkoRWNk+AhZ/D5zf6ydyf+an:W7ZppApcZ/D5zf6ydyf+abMkF24kzK3j

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4683) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp	ca12cf5b352a0a770e4581117d2e55e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca12cf5b352a0a770e4581117d2e55e0N.exe

C:\Users\Admin\AppData\Local\Temp\ca12cf5b352a0a770e4581117d2e55e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ca12cf5b352a0a770e4581117d2e55e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
47KB

MD5
12446d2e6b6406ad880bc92505d62846

SHA1
43fd3746054d8792b7a48e0aa8a107ee28a1ac6f

SHA256
12afcaed663755907a89f0be64de1d86944dacc4428c99ffd78a25bcf1c4195b

SHA512
7851548144a843e0317c15ebf746a8f62960c71a8d1d9c9f31bc463f81e7dcd2360418b1b2fe7ed280971c943dcef4795b898c153370e0f55a8fec9a8cfa8380

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
6097ec01a9c8832a0aa415e9ac39691b

SHA1
262c9d97032e8a368616382e9a620af77509f9f2

SHA256
c62283dd34522e7b5266046ae7dd02ad07f309db82de1538840eb3c71d45793a

SHA512
ddb6df1d57acff8051b1eaebeeb8d42186254255443fcd97959f398681faff0edd869d51b85475d3443e05d97d60a594dd6da2287ce5fce8f14dddd824424795

Download Submit