f3b178e4a0fce5792cde4be9ed929c8924288d6573f9bf9fda940ab06b7ac939

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6dada454d0f31cdac13eb2c59c95ab0N.exe
Size

5.7MB
MD5

c6dada454d0f31cdac13eb2c59c95ab0
SHA1

4adb8b8d3ec5e6a575735d253ac65d009155d629
SHA256

f3b178e4a0fce5792cde4be9ed929c8924288d6573f9bf9fda940ab06b7ac939
SHA512

9ae7cbb3ebe47ce0f98702b118f055c09ef2c09846b0a776b8e897521b0b50a6e076fba19c05b0050006a98c69d8a9e1907616edf5e1a275c36bd012a3caa7f0
SSDEEP

98304:AimwaCELMjOLIalJ67sj4jmpRMTcToaxLQsp1RXp9nGA:WwaCYLIal06MTo9RPGA

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (347) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	c6dada454d0f31cdac13eb2c59c95ab0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6dada454d0f31cdac13eb2c59c95ab0N.exe

C:\Users\Admin\AppData\Local\Temp\c6dada454d0f31cdac13eb2c59c95ab0N.exe
"C:\Users\Admin\AppData\Local\Temp\c6dada454d0f31cdac13eb2c59c95ab0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
5.7MB

MD5
06c001d6656ded43f6e88d348945518c

SHA1
c8acae874d40e2c87fbb0c5411b8185345104e2a

SHA256
b7c24a5d6baaffb1ed2334d766a520d531153f29694a582776b20f5a6858d8fb

SHA512
f1f7737216a25f6d45afb173eabf76194fceec4abfe22f8825e23899f73cb6098fe5377a63a40eb2735980d970169a750f9db1dacee2accf5318e86728ccec1e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
5.7MB

MD5
38a10131c13d6942662d4b9a9e528d32

SHA1
a06a1300624744b7d059f73c28baba478beeceb0

SHA256
694ffad802bea917c0e490a7c3050926111ef3b8972358af845dc6c77fd9cc25

SHA512
3cfbb06471972482d5b3c02b9f595347b6e1728922d102280304a55dd1b97931fba7c47ab12f252c7bd6b4b28833872d45f7afdf081df8dacfbe3ba1975b7a15

Download Submit