7526fe0e5e736caa9bbf61e279bdd8f4cbabd5081a40aac9e7dc18318aace233

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbaea6ef3bf93e207c6910a53ed030e0N.exe
Size

40KB
MD5

cbaea6ef3bf93e207c6910a53ed030e0
SHA1

9b0a9238f7c17da0ff055d437cc22dc6a79a460e
SHA256

7526fe0e5e736caa9bbf61e279bdd8f4cbabd5081a40aac9e7dc18318aace233
SHA512

8096209dfb67ba5cdc0bf89699b045b5bd81ba2095559ddfc7a1c56216760e590cc01c394f94431d8ef2617c246f6a1627489857aecf3461ca0aee580ac5fbf2
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lGK8WKnFIMK8WKnFI+:W7ZhA7pApM21LOA1LOl6NKNKnF3KNKnp

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4640) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-pl.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	cbaea6ef3bf93e207c6910a53ed030e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbaea6ef3bf93e207c6910a53ed030e0N.exe

C:\Users\Admin\AppData\Local\Temp\cbaea6ef3bf93e207c6910a53ed030e0N.exe
"C:\Users\Admin\AppData\Local\Temp\cbaea6ef3bf93e207c6910a53ed030e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
40KB

MD5
8de580d86fe2a774e1d4ea626d28a3f4

SHA1
8ebb2b4f38ffc7428aa1836f0d4c4687fe1034ac

SHA256
d577937b133ce8ca9036faaad2665765be8c9d02f7718f1f646f8ffa456ac06f

SHA512
288a72114edd901242e66c476f846509a0722de57b04717631b6527d4e47eb68e128df683ebd60f1190ce7be51052cbd0350d5866c5226af2ef925fd77b24e27

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
ade32b9ab92cc9e72b9e7866d1ee9565

SHA1
e11ea1126e726099a5ada38f852e61d722b0b50e

SHA256
39d9f2e60440ddda9497659acc996650a2392dc16c4c4103d59276950f01ce45

SHA512
4f6d3384041138ed1208fdaddcbc6323555d1213fcce2f05c75cf26eba6f27a1f9bfe30b5890c75725fded272e75010c3d171aa40c2c94aaee45a2ea55668732

Download Submit