ec18e086e1b1db956b7016fea9fdb8195813b2ce255512ee69a414d066a2338c

Analysis

max time kernel
120s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 12:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c606ec631662cae5ac8ce920a84b8420N.exe
Size

79KB
MD5

c606ec631662cae5ac8ce920a84b8420
SHA1

93b0e3631a0d66145840c12b288915d425fe735f
SHA256

ec18e086e1b1db956b7016fea9fdb8195813b2ce255512ee69a414d066a2338c
SHA512

891b8de97e1bee07a35f68f78064ae234ecea6ba76c81eef3d6ee39cd286db30181ec159ccfe4fc6b14d24f96b190bdb3203c8bb73578d346f142a08fc208a33
SSDEEP

1536:/7ZQpApze+eJfFpsJOfFpsJeFrxFrd462:9QWpze+eJfFpsJOfFpsJ0rDrN2

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4619) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsBase.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHSAPIFE.DLL.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk-1.8\jmc.txt.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c606ec631662cae5ac8ce920a84b8420N.exe

C:\Users\Admin\AppData\Local\Temp\c606ec631662cae5ac8ce920a84b8420N.exe
"C:\Users\Admin\AppData\Local\Temp\c606ec631662cae5ac8ce920a84b8420N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
79KB

MD5
ef30385fccf1619163907e64fc21bb62

SHA1
10797aa0a88c47b793ffc9aee32e9263757ec0c1

SHA256
1c8880eae79bad52fa59d6475a37062a4f694fae3cfefb58698a6439d07c96a6

SHA512
9ba0de3d97728476b265594fbe8bbf0730348e6115cf21d2c567302e56f7589e53fd4b1c8849a02ea77f6536c8814c9699ec890ab61b488d5b85d51d37e600ea

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
178KB

MD5
1a92578c611dbf0b4105fae1432a6c1c

SHA1
f192199d7ac3362befc1fdac36b98e55205452c2

SHA256
1d292978dd16b54df9aa68c9f5ffe19e4b00b66c2bff617d7d54d51589aff4c1

SHA512
7583c584985b7b48a2104a5b794bc891033b1398c458b79e17d240f1a7e41c0d5c99ff3eeb0901698e2878d3ca948e9662361b876b50805c11932be8343b421d

Download Submit
memory/2132-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2132-860-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download