485b9322eddcf5126c18b36d137e036b9af10f121d46b73c665c24190422196d

Analysis

max time kernel
120s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c959a7e308ada6f75b279eb50751b630N.exe
Size

93KB
MD5

c959a7e308ada6f75b279eb50751b630
SHA1

73537cf75d6ef03ff18e45c934898b1b4946ffec
SHA256

485b9322eddcf5126c18b36d137e036b9af10f121d46b73c665c24190422196d
SHA512

8ebea463ffd4fbfbf070bdf8abaa183f6b594bca8a96a48a6f2e6a0463fd93747eb99391182994065a72afca69e80f2612ba76019badd76a3e456476ec31a7ad
SSDEEP

1536:W7ZhA7pApvOsOKjC0YSilpFpfkJOMETC+cI2IPQ/hQ/Yhl:6e7WpXYvnh3I

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4608) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Resources.Extensions.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	c959a7e308ada6f75b279eb50751b630N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.tmp	c959a7e308ada6f75b279eb50751b630N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c959a7e308ada6f75b279eb50751b630N.exe

C:\Users\Admin\AppData\Local\Temp\c959a7e308ada6f75b279eb50751b630N.exe
"C:\Users\Admin\AppData\Local\Temp\c959a7e308ada6f75b279eb50751b630N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
93KB

MD5
89cd929d1616c06f10eda39f38e0993e

SHA1
f9ac156ef550d8adab484d56113b3afa9db6e302

SHA256
b21a56b1ec7853cd89f1e621b49550dbbe8ce55d250b001d5c157f92d25533ba

SHA512
d0b6ee7bf7ffbedb729e4333ba29a6c2b050aa235934ce4006673c2ac24fb2ebd0c3f7d5395c6ba537e59500998d5ea330ca9a455082c074d03ccd8b5ca83859

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
192KB

MD5
8c0a61e60f472ebe4ab1670ef8217a36

SHA1
0d405678a75359d7083f90dd9df2de70b2ec9989

SHA256
e25701da0a8c8ee097132041f040f0c1df7fb420cdac68b48ed05c38a719eca0

SHA512
5d190e98cd0ff5313182f33c4cfb21a4720d04da37b17490637b7badcfb63a6131d8dd4296b11c1ffa9cfaa876deba43a2969c4b02b3da757a4585333c17895c

Download Submit