c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 02:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
Size

228KB
MD5

08b1cf406a6d3bcdbb0bde5258000523
SHA1

bb95f8e7af0e32ed433ef9e44eb147160337d06a
SHA256

c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727
SHA512

ed57ac66849f9af3e864c6b433a0d9873175804dee92790ae9707f05c15a6bb271a47d5eb4c87172fe41ef5d58e0b26732bf6ab8d4e94ca182b860054b1f1bb8
SSDEEP

1536:W7ZhA7pApBt+OKOsZKZZSjw4Vc0VcamdG3mdGb:6e7Wp0kDSzTx

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Specialized.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe

C:\Users\Admin\AppData\Local\Temp\c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe
"C:\Users\Admin\AppData\Local\Temp\c8e4be470be60630448063af8e33a2685215c7d50dcae5b964a7bba6b6d92727.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
228KB

MD5
ed709cbf5161fcd8751750c3449b07f6

SHA1
96b203c2b45ce53904a529841e912b4b498c742d

SHA256
f9310026b7cdc1dbd52e984b9e90fbf59c2bf3561e6f6acf2f8a793d0986a3b3

SHA512
34a181f25e8aeaf43558674b9c020fb7ad6556bc62ed4b49fcb6dc02bf3277888595efd0e2b80a3ad5b61c1c83ac18cab80f3698138ec0de375419753035eb8c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
327KB

MD5
40b37194a46b6d9c2d5e40fa3487131d

SHA1
f7465fdb6b252c8fab7eea7ef046a695a4e3ae75

SHA256
087be8aca18d014b1f31922caf0693a618a00138f865b5fb553c873ff9815ac0

SHA512
66d2bc899438323126c8b51131fa305151db9b36223aafa91724bb0732d0e054ebbe5e6ff2ca3cc2a572c4868bb81d9f53bb927fa5d265ae61a5be72e4fcef8c

Download Submit