6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
Size

43KB
MD5

c7ddc206d6118571bb82a886b6502f08
SHA1

ec342054e8ef6052f5108d4776e7d7b442017bf1
SHA256

6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e
SHA512

81f5188c63c89771bf8b956511e07824ba6c0a734d2d38865ac39bd45c7f6a0bb8a29be957711cb196e3a6d1c5150cb8c00f108c462ae83890acf8546a08f214
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3Gb9CGDb9CGBjUDXV8gcjUDXV8g3:W7Blp9pARFbhOCQCPjt

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5026) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSF.DLL.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\cs.pak.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe

C:\Users\Admin\AppData\Local\Temp\6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe
"C:\Users\Admin\AppData\Local\Temp\6c5318eec3fbe1d5f343929e50ad1be98cfbcdcfb6d3f2195be2ad239e212a1e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
44KB

MD5
8b5101fdc19f4695be97705c8904c8be

SHA1
1ebfd82aeb1250d2d70ec19d98e99caa022cb3ca

SHA256
b7997b6bd9aad3d0939f49c1299a26c00a0e739005de8e5bb4bf4e855272566f

SHA512
f46a64baae20e6edbd284e093c1d6886b5e4129be8dda79ade08131cea9294066b171dcf3c3042a1594fb73db0c0d7b7eb92d193cb89b9509270c1bd88c6d847

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
0d214e375643502b5565b02e8be9bf39

SHA1
1c57031c1233bc5d45e114627cbf9e5deb14e0d7

SHA256
435209a30b80db1a8bef156dfcfc58d3c9084c0f3d2f9427da3abdc3280c219b

SHA512
007de8bdf3b76425c024af82fdb6d2cd9c59928a917b250c3ab0f5fb6d11a199b3d5f479390eb79506cfd23c0d2c91f656a0bba21b5b3aa2740c6d2ad64abbd5

Download Submit