ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
Size

41KB
MD5

7b00a675114e033df3c88d4c860b855b
SHA1

bd5cc2860c8e58a0424790b93ef3b12738225623
SHA256

ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee
SHA512

be348772d40b2fdac21332d088c9e073fdefeaa33a624055c54382bc50ddefb552d3d90c107e64a25e52908eb14dbf3878e96021b400d905feabfdf8c78f02a8
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNF//K:W7ZppApBULcfpHLcfpyDq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5039) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsBase.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsFormsIntegration.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPRESOURCES.DLL.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.FileSystem.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe

C:\Users\Admin\AppData\Local\Temp\ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe
"C:\Users\Admin\AppData\Local\Temp\ce4554356b973219abac07a0200b19d5adae49134b9991a903c5240102509fee.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
41KB

MD5
df572e0387f6e3e19a87a3b19247eab9

SHA1
67f1396fd3709e6856216e2ae3d860dec2a0d223

SHA256
a543974da8e87887b3fe8f12508237bbd8c1f45ca7788aaf9e4e291cc4c30fef

SHA512
dee3539289b2d70d5c7f2fb4bada888c34e42fbe585d32ed70942de16d6ba55a0cd16dd1336f9f157d99476684c3e386866feed2c1753b7b9581979283ee5eb3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
55e21031661104a117cc9c8194b06bc5

SHA1
21ccdd226887594a6a80c6c48fb309668f00f33c

SHA256
d252c36c02637e1eb1a5d9c70c4f450585188ebd09787b8b5432e64c868f5dd6

SHA512
4b105fd64b4a576da2e7e2bfdb27586fd34799e0478f23c2852d08549a4e82d6efe57c4a8468d6fdb210949570d32f7639258c1771680bfd3901f4a9ea353862

Download Submit