f9aaa20b3f0b73e075cd98a76695765178ac20176a16d2af3b925f5b10642f88

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cce1bef056092bfb374fd94a62d3a80N.exe
Size

54KB
MD5

5cce1bef056092bfb374fd94a62d3a80
SHA1

1a56f002b5871cd5b2610d2ce8aa342fcba9c741
SHA256

f9aaa20b3f0b73e075cd98a76695765178ac20176a16d2af3b925f5b10642f88
SHA512

c0051ffa81f0bd202080df7f3c6016e3e46d761efabb73687735217f3188e1ee6759c4416be680a20ade875ebe40e47a076e3eeeb459dd1d86c045ebdb749138
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBNKVkVYlIAItCCIntkntV/eazc5azc73A3Q:W7BlpppARFbhFAxC7ntkntV/fo4o5

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4653) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.tmp	5cce1bef056092bfb374fd94a62d3a80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cce1bef056092bfb374fd94a62d3a80N.exe

C:\Users\Admin\AppData\Local\Temp\5cce1bef056092bfb374fd94a62d3a80N.exe
"C:\Users\Admin\AppData\Local\Temp\5cce1bef056092bfb374fd94a62d3a80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
54KB

MD5
26e3c2ff65d0fc45046888fb946c3437

SHA1
9342b0eeb776807ef3e849d17ff465d84d01102f

SHA256
f46681953f5390bf607a9a6aaa7c700095c0d180cacdda1ca20ec7bb5aadf0a3

SHA512
c29ff37e55f190ab2eef4c906e3ddc85a2eabfd39f0d22228ac928bc2f3872c1094a9a1a829b5be99ffeaf726ae56e5df843b6cb6fcc94855cb8eb293b47feca

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
909cd569b62b6e80290e8bae102d3c45

SHA1
10c515fcb0f236ae7be1cd417ed57dc4e7ef97bb

SHA256
143a9a8444e5f57b4d8c0edbb5896340033135aeb4ada4a47e6dcf5046c9e812

SHA512
a002bf173dbf3d7de474f1d3809368d7335e56374f6a1d046ff90449619dcd4afe96f25c4d8285d4c4594588b5fad154efe8a12416146608a1d995d4e787d1c4

Download Submit