8d946a5896de79041fbc3714bf4011a02c40b480da9f5ba31cb849e31bcfea4e

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6cf5996b18290b16a9e46bbbd9e9e90N.exe
Size

43KB
MD5

c6cf5996b18290b16a9e46bbbd9e9e90
SHA1

830655cb59afb7c46bcd3c38fd08af041b94e30b
SHA256

8d946a5896de79041fbc3714bf4011a02c40b480da9f5ba31cb849e31bcfea4e
SHA512

f94aa70c7ff3ae48d2658c927d427638944e012e4e7c6472bd2d17e2ada8a1c643369f500e2c28c9b446f890964751c691fd2d9de37a72f2f0385ec2b079def0
SSDEEP

384:GBt7Br5xjL9A7AgA71Fbhvnqj7jU7ubTAgpbuvx10AaIdKB7ubTAgpbuvx10AaIj:W7BlphA7pARFbhL801VvM801Vvv7cYR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Concurrent.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.resources.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	c6cf5996b18290b16a9e46bbbd9e9e90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6cf5996b18290b16a9e46bbbd9e9e90N.exe

C:\Users\Admin\AppData\Local\Temp\c6cf5996b18290b16a9e46bbbd9e9e90N.exe
"C:\Users\Admin\AppData\Local\Temp\c6cf5996b18290b16a9e46bbbd9e9e90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
43KB

MD5
c93bb56764543e2a357db9f027afc494

SHA1
7d80cbc8721bcc880b857c5f266e8184b68f7ecd

SHA256
39e947dbc77f762d13a62f8bc293549edbfabf316092368764257671358f67e2

SHA512
7fe82718ae7ad8fc02e97d1bc1f10a039bbe2fb41e503ecb53d539a4fedf4932fcad4dd16978765deddc56b9b52a61733e6282ceafd743ebc86db1363aa068cb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
a599a256abd747df4574a8aebefb0c61

SHA1
b16e6fdc3e8496d2ba06ab6e10081c9ebcfd68ad

SHA256
54ed4393356dd3f969f11d0ceae29b86e9e147cba189205f2d5db270c22def78

SHA512
f036e7fd18631f32b3249af21037868f38268f506e29256ccd8b629d694592b10d0921d78efb330cf6d854c71a12c782034c3ac4b9fca6b265de35dfb227cb8b

Download Submit