8d4949b7e6ddc315ca9d051e09ba6cf91e1431ef010cceadd0c9acfddefc3860

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c16c1433eb4ac1a0139b7772d31dad0N.exe
Size

69KB
MD5

0c16c1433eb4ac1a0139b7772d31dad0
SHA1

115890d43f0d55bb16dc2a65c206f2f74f28676e
SHA256

8d4949b7e6ddc315ca9d051e09ba6cf91e1431ef010cceadd0c9acfddefc3860
SHA512

709373a34b9114fe1a046f69ac9d4a4b28c8ea03c6f9bea938250081e44d0556d23c5880af8e7d7ea4eb3cb3f2d23edc7a7a294a8e310af66066f7b2120237ca
SSDEEP

768:W7BlpNLpARFbhblkYlkuvIYFdm0rEt0rEkEXBwzEXBwAh6InAkDanAkDo:W7ZNLpApCZuvIYXmdtd9htnAQanAQo

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4636) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\cs.pak.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	0c16c1433eb4ac1a0139b7772d31dad0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c16c1433eb4ac1a0139b7772d31dad0N.exe

C:\Users\Admin\AppData\Local\Temp\0c16c1433eb4ac1a0139b7772d31dad0N.exe
"C:\Users\Admin\AppData\Local\Temp\0c16c1433eb4ac1a0139b7772d31dad0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
69KB

MD5
bce7264b54adb946d94ce9d34d9d1584

SHA1
8c62e69fb9e66ca472826e4112c6ecd0c0bea52b

SHA256
eb307e53f4decf6a12225d9a7918761cfb249ebeb8f6117ddeb39d0070bad832

SHA512
c46f3a9caa63c89c7e89303a64c9b8bab4b8872ac4e1609a1036588c6d67c608e31a726e711a2e1a5ddd3810a86aa04ecf4643f7f4ac574c957283259b897b61

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
168KB

MD5
c753780dbca571a23fe9aa8dabc23c40

SHA1
f9a5c48a7d91d4bbfc049fcddee7139820786ba6

SHA256
4185e314a34cd6ce039c4cdcd3ec8037a68f2d2ba9df8aaa022a163d5ac6b849

SHA512
f41a49af0e6eb55f5f551d67f651375dd46feb54e842b202d296fcd7cfa990b7d8f6ad4360ad279f5deeeab2a9e6957ef9340eb3660ea0078683b9b48e2f0de3

Download Submit