1cc38d67115c524f00d05ca835d62d4eeb0c3a4fd41d4a03b0643623f6b21905

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1aa5bb4dd29740ccddde53d3c196e50N.exe
Size

58KB
MD5

c1aa5bb4dd29740ccddde53d3c196e50
SHA1

23b8a8d912966f07c3b1456dd67cf329d8984045
SHA256

1cc38d67115c524f00d05ca835d62d4eeb0c3a4fd41d4a03b0643623f6b21905
SHA512

a83a266e9e6a8be2a9c84f7fb1493b4ae133a58244600bffb14899e3a0808ae64a16e6285ac2cc6d03deb632ced0b56879e60c78244aba6672dae37e5b5b930a
SSDEEP

768:W7BlpppARFbhFAxC7ntkntV/fo4oIKBKS:W7ZppApryyHb

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ru.pak.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fil.pak.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\glass.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.tmp	c1aa5bb4dd29740ccddde53d3c196e50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1aa5bb4dd29740ccddde53d3c196e50N.exe

C:\Users\Admin\AppData\Local\Temp\c1aa5bb4dd29740ccddde53d3c196e50N.exe
"C:\Users\Admin\AppData\Local\Temp\c1aa5bb4dd29740ccddde53d3c196e50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
58KB

MD5
7c143d1b1c31abf36ceb1f547210c72b

SHA1
3548dd1db6e7703602defa58e2d56c8e8fce69fe

SHA256
99e3b3c0fae1c909c2872d6348293bc290c4e0fc632ba37b1971aca35f1ec00d

SHA512
22330f9212b5094b2704fc8f21cc891deaf18036881166aac97affaef634c09f3cc371eca86a9db4a7f504ba02c48771902f0ab676ce161005eff4f6e557aedb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
157KB

MD5
9a19d07ff3a5ba5d0f4887a68ab05d6f

SHA1
61feebb3248cbad6facc395e96dd9c48c6c7d359

SHA256
9585f582d8493d029424c3a8d481d8876711915e522724be28eec9fbb315d70a

SHA512
e217e6c5b718d39933643902803e392d19463ee369eae4c58ec5831b0fa5bf3b12288829e8ec07736b4154977dd285c0cebab365b45085a8a9b2b7b5640099e0

Download Submit