5f4c661a48435c2f36a318eaf46048345f2032a314305fdd19ac49c917ece518

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 17:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c5d91b6b05eba83e0517ba7c6edd8d80N.exe
Size

93KB
MD5

c5d91b6b05eba83e0517ba7c6edd8d80
SHA1

9aafa0b2dbe92fee61b576671c296b16df2292db
SHA256

5f4c661a48435c2f36a318eaf46048345f2032a314305fdd19ac49c917ece518
SHA512

f0780e873073a0c3a8b7e1a13bbdd1d47974ab8bf9727f496c1fd4bee5f5fa9d300197288b909a3842755770cb004444732ed4fcc923d8fd76e7d8f64c6d4a51
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhR:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4567) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.VisualC.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp	c5d91b6b05eba83e0517ba7c6edd8d80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5d91b6b05eba83e0517ba7c6edd8d80N.exe

C:\Users\Admin\AppData\Local\Temp\c5d91b6b05eba83e0517ba7c6edd8d80N.exe
"C:\Users\Admin\AppData\Local\Temp\c5d91b6b05eba83e0517ba7c6edd8d80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
94KB

MD5
1a9ff80194cfde12a5ce7b750a65182e

SHA1
fc679500da6a322abf079e7eb3048b38d7a4da1b

SHA256
e987ad6beccb608532cd8cf2dcb6dd7fa7e8e5f6bb1a828032b8cb6eb5c90cd1

SHA512
12f00ca4b615d67dbba2d9ab93fd64d23552ab94f0eab25c238d1ddc5c37fa139e4bd7f8c82e0cf3e3169ea67ea46df507aefea4c10f32d555832181d9050243

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
192KB

MD5
ab76d2afb717e17f3d0cca9f79e0725e

SHA1
db3d7330259f88edcf7508121c8a6e86b9f54140

SHA256
3c7c3b00e8c4dcecfd571cc3311a2cfd155486f9734f769b89768fab850e1ea6

SHA512
401a5311067f84682f3a73f806469493cf6f16ba30091c27a04a9892a036b8efb1204dd54eafd08b7a4da5e226aeabcc2b1b31effc56485f91b87c1356800263

Download Submit