cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
Size

67KB
MD5

f067acd1fe0e064b0eeffcf72286e1d7
SHA1

e5379192616b76ff874b9e24b307f60d0c8191be
SHA256

cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9
SHA512

6ba56d270916b4ce7480c51c6130178fdeee12457c1b6ec495ed599aa0b7e9ca23b082d4e01c3ba28124d79952120355f78496be79415a51bd4ffdc0f6d73f3d
SSDEEP

1536:/7ZQpApze+eJfFpsJOfFpsJ5DUEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50Fq:9QWpze+eJfFpsJOfFpsJ5DUEhLfyBtPd

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4861) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.dub.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFRHD.DLL.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationTypes.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\DebugSelect.mpg.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe

C:\Users\Admin\AppData\Local\Temp\cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe
"C:\Users\Admin\AppData\Local\Temp\cb6bac0bf9452ec8f2614666c911e117b24f5b903726f5d60c7ae2b2894c8ce9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
67KB

MD5
c5383b98b16bf54c761b616530ad82eb

SHA1
38fd5d43035315e0fc51ea5a727832b1b8dce2c2

SHA256
99f439d8980359b74152a5a0e9d54a8497fc3a8bb39701470040abe0faac1c7b

SHA512
339b61657fac2d4365b6297d3fb3753aa580f5c898cc1d4cd616a2b949ead8332fd2087de76fa843ff8aebc7a36db0049f24294e761abc1db147639a76e336f1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
166KB

MD5
b5403811071a7dc0d5433f6f65f9abde

SHA1
a7da2fd85830fa614d067b2650aa8092f6e7a956

SHA256
257c7abfeddf8b76e77a31e6e180cc43c0e08c92fa620c0a554422a5da6a0929

SHA512
6ffa9671fe91a9ae64f4cbbee6059e705ddfa3d58a7b230314fc481f8b84a749e170c3b7e04d73480dd3103f7b9496ac44c21d42c342ddeb73a3f5bc799f3e66

Download Submit
memory/4052-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4052-848-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download