a743c4ecf4f83e6ef2b1d77d5fa9f421a68a9ff39c601e8dc6615031714071a9

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c08c8f96d1ddcbfcf9f48241536f4c50N.exe
Size

43KB
MD5

c08c8f96d1ddcbfcf9f48241536f4c50
SHA1

14d38d15fbb4984a0a7994af06e8ebc1324519ab
SHA256

a743c4ecf4f83e6ef2b1d77d5fa9f421a68a9ff39c601e8dc6615031714071a9
SHA512

4a514ec6e95f4eeb08320d4562cf9e4146731b1841727d3b0a3d44252ad444ec8a06accdf6eb4e92dec40912f1bfa51d2cc9ab185ed2fd6449cf7351fb07c517
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOTlHdrBdrR:W7ZhA7pApM21LOA1LOF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4680) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\glass.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	c08c8f96d1ddcbfcf9f48241536f4c50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c08c8f96d1ddcbfcf9f48241536f4c50N.exe

C:\Users\Admin\AppData\Local\Temp\c08c8f96d1ddcbfcf9f48241536f4c50N.exe
"C:\Users\Admin\AppData\Local\Temp\c08c8f96d1ddcbfcf9f48241536f4c50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
43KB

MD5
4dbb47b1276b3dc530cd2926a2b72110

SHA1
2131f5b55bb1bad14e688b3ab63261c357d5ff0d

SHA256
88f7149b009548151eff8705344d70ae28216ad3681f3559a0a9436a381a8922

SHA512
c6bd04d9b71e0f4a36e8c02e3160d30248f8e26b2a55f77c7d3089b18dfc6393b58f7cb8e6fb715638744c451ce33fd58c760b4d471bbf2339214bc11a0403c1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
a5c306cc6b9d719e2a64364120b41086

SHA1
d7c12113b4aa9d7af7351866b59614c144dd4dc4

SHA256
46d8403c0356d6f097f82971ba2b1fd7292e6cdec76bc3f6694a966e2d773436

SHA512
45554bfdc1eafd5b59eee80ffc428ba66b3ad6bdebda1fd82eae7e200421650bb93262f7810d9d150f3375013e1b4ac54bd788f5eae92fe6d15675f578b0d83c

Download Submit