12664f97c15e5defec036aaf9ea7655f2439a95ea181abeb16340b3e0ae97a75

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c26a9f12a25abec013564181066baef0N.exe
Size

47KB
MD5

c26a9f12a25abec013564181066baef0
SHA1

6c6608d6a64106e8e71f75c5ee13a7e2d183f7c7
SHA256

12664f97c15e5defec036aaf9ea7655f2439a95ea181abeb16340b3e0ae97a75
SHA512

966e88deaffeea1824db08f06ac0252febd9541df1812d22031a5d69b4f15cd6c60acc5d7acc829233c83b1efa817b3df92011a7cd8db6107ba9bb8ffab54fbc
SSDEEP

768:W7BlphA7pARFbhL801VvM801Vvv7cY6SpSo:W7ZhA7pApw03vR03v4Yd4o

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4657) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms.tmp	c26a9f12a25abec013564181066baef0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	c26a9f12a25abec013564181066baef0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26a9f12a25abec013564181066baef0N.exe

C:\Users\Admin\AppData\Local\Temp\c26a9f12a25abec013564181066baef0N.exe
"C:\Users\Admin\AppData\Local\Temp\c26a9f12a25abec013564181066baef0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
47KB

MD5
5a8e028b1c248f209d8628c87fdaa28c

SHA1
bb2151f3db7d9c5e0d41e4130ad17129b6f744ac

SHA256
aa809c5d61fbef86c066cad9cfe3806773d7571219fc9dcffd7881523a81ba00

SHA512
ac86699c84508bc9bfc9484cef43baa4ae5aaf23a317127bc01313c4161ab50db307d42f94c98fdcc162b9773ff57d42a4e34d2d5b1f73557071f8552d36b6be

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
963ead227e2f9bba9cbdac7b1aaf47b2

SHA1
bed845f69ef40f5959a8cca0f03fb094ce1390c4

SHA256
5f0c87b97cb06e2a761e56ba08b68a0d2c72a3a2663dd534e24b14dec6e0b417

SHA512
df9a14d66794113abe424ec58d3380b16e4ca33b8083e5be887c243dec9eb0116f2f255c167fe27ad208bd62a55c964eba18ad88d0684ca1e179d56ad2d909e9

Download Submit