117f076b3752720a41fea9c2e32b0da98c90e857527afd33e57ecdb3f6f696ca

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ced5b30cf7d82d04d9017e95b8edb6b0N.exe
Size

98KB
MD5

ced5b30cf7d82d04d9017e95b8edb6b0
SHA1

14fe72778e46a5e535473a69c355cbe21dda8285
SHA256

117f076b3752720a41fea9c2e32b0da98c90e857527afd33e57ecdb3f6f696ca
SHA512

f1a047517412472f08bd61b20070464820ea5f3e0aad52d5ecb64c8972f80747f214bfd82e11574c32e206c41ccf9274169a0fb0a428f8cef9aea890bffc5296
SSDEEP

3072:6e7WpMaxeb0CYJ97lEYNR73e+eKZOf7fB:RqKvb0CYJ973e+eKZOf7fB

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4325) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Native.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	ced5b30cf7d82d04d9017e95b8edb6b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ced5b30cf7d82d04d9017e95b8edb6b0N.exe

C:\Users\Admin\AppData\Local\Temp\ced5b30cf7d82d04d9017e95b8edb6b0N.exe
"C:\Users\Admin\AppData\Local\Temp\ced5b30cf7d82d04d9017e95b8edb6b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
1⤵
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
98KB

MD5
96a25798ee82db5f76b918d4ba5bad1c

SHA1
ae1def54b2234ee3d61585e078f3217f5a3cc17f

SHA256
d07e1ae42532c96fe7fd567c70fbe66a4f3f2913e9576d3d4ddbcbe3c3664fbb

SHA512
9cc67fc1ab101c9d7b443ce4e4789b122e902056ab4a0b21f1742c11dd81a5a169084d8088163475e3e8df31bc6837335b3e12a4cbde6c30b12192eb6a8a6365

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
211KB

MD5
72b1861ab8f370718a8092084f4af7f7

SHA1
12b1cbd162313a17b163088829d2db1c211185cd

SHA256
7e6cf720be22742bcf929bf679b4b58a35604c608f43960d6b0537a637f853d6

SHA512
771dcf8a144ba06a4505db0f1c1461befb0e645b038d555cd3ad63bfa0fbc5df515084181fc1eff8161718910bf113ec2d1dfd6b574a460f62d5a53968652741

Download Submit