07a4d5870c74e29bdaabbe586315af5faecdf6db0e0ab193fbbe41859e1adc2f

Analysis

max time kernel
120s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c85cedd345d57262bbd69a57a91b94d0N.exe
Size

53KB
MD5

c85cedd345d57262bbd69a57a91b94d0
SHA1

162a59cc9345639d7e679ae01d464d90f61c0076
SHA256

07a4d5870c74e29bdaabbe586315af5faecdf6db0e0ab193fbbe41859e1adc2f
SHA512

483da36f3e0535914567b0ef533cdf1282286a8f9d3e45a8612b94cbe40c7245e16773d0c70929bca45ffe4dee5aab557da1f12ec4bc63889cb35816fb2ca6e5
SSDEEP

768:W7BlphA7dASbSjJJ1EXBwzEXBwdcMcwBcCBcw/tio/tiRSU0SUF:W7ZhA7dABJJ7TTQoQxWF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-oob.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	c85cedd345d57262bbd69a57a91b94d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c85cedd345d57262bbd69a57a91b94d0N.exe

C:\Users\Admin\AppData\Local\Temp\c85cedd345d57262bbd69a57a91b94d0N.exe
"C:\Users\Admin\AppData\Local\Temp\c85cedd345d57262bbd69a57a91b94d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
54KB

MD5
1c8bcaac92a257281f7875ac1ef9669f

SHA1
123da5f6ede0701d7fa9dc7bde6b6d79bcce0cc2

SHA256
92a79f1a66b1b8ddb4580a54f1c8c7e479eabecbdb5cdf0bdf3735378e4f583c

SHA512
8c547db84e8a051b88833ea69f891d34cab36436beda12d01b0a0fbe1dd23a676dd950e68d15f352e07814afa7d34969fcee147a2a7d1a258887951a5abeeb40

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
c220bf6af76b277e3f464db45002bc8c

SHA1
19136de8e4a5534b9c9f7d0ec605d205765e2595

SHA256
345ee0cc79922b86a749940b134a1e4a8f1178180292e4947cca716638f672b9

SHA512
059e0bce6323ae2d504ace4d99cc5bc38daa8904f1e9217b6d338677de5fdf85c17fa8275b6b73cf36b01ff6eec6209ea4a2bde31ba863f3f779da8970a0c8a9

Download Submit