b4643df6606f1e4fc0156e04d8221badf25ac060b6f8f39cd7e75d75052b2202

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfc59e367bd1643953f6cf9b11cdd980N.exe
Size

46KB
MD5

cfc59e367bd1643953f6cf9b11cdd980
SHA1

c43b213601307591bcf716384f79a864bb7a39a1
SHA256

b4643df6606f1e4fc0156e04d8221badf25ac060b6f8f39cd7e75d75052b2202
SHA512

69b04b801f5e8f9c251824087c530bf55662cc1aaa4b4b76d0c637b3cfe195e8e1ab0977f5b97b13e4b190fbda2f1abf8ffadfd3488de48ed1a17a5fdee3a4b3
SSDEEP

768:W7BlphA7pARFbhL801VvM801VvcR2+lJtZ2+lJtSsM:W7ZhA7pApw03vR03vcltdtSsM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4685) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\msipc.dll.mui.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hu.pak.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Input.Manipulations.resources.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\uk.pak.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	cfc59e367bd1643953f6cf9b11cdd980N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfc59e367bd1643953f6cf9b11cdd980N.exe

C:\Users\Admin\AppData\Local\Temp\cfc59e367bd1643953f6cf9b11cdd980N.exe
"C:\Users\Admin\AppData\Local\Temp\cfc59e367bd1643953f6cf9b11cdd980N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
46KB

MD5
48b8a4235cccd98c5382a8c5ea565fa7

SHA1
950a8962edac06eb611b931d0eeb35c1d138e1ed

SHA256
8d661bdad011dbe77f1f0008e95a5afe67e295ecd6c3a4719568283e4b10a02c

SHA512
38c077eaa07ba48de3a918679a6dac2552ead2930c80270cdaa89e44cb4355b1d998bdd8006301d83fb9e9ca2f0a10e0a84914180457c583fac2d942f34dd930

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
fba81bc97a83054482a906909fb68c2c

SHA1
f30e8f699a8c09c22135e8455ee314991460c17b

SHA256
b6e46e5313aebf3bb907e81ce341145684250d015bcbce290540b956561ab11f

SHA512
ccca8059446a11214bc91b78ea75af8a998271f1c3089584583dbe52900811ac764d61a8bb13e8e59803d135a52da73af08b3ca40b1d234a710864e58df80eeb

Download Submit