41b49ace7aeec2bdda8c4e44825c6bee4fb0947210eb8cd317c760f49c700002

Analysis

max time kernel
119s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc3f880431522f049fcb5dbc5c316170N.exe
Size

50KB
MD5

cc3f880431522f049fcb5dbc5c316170
SHA1

d68db6eb56c8cdfc40b1d7fe4c93b0ada4ac2844
SHA256

41b49ace7aeec2bdda8c4e44825c6bee4fb0947210eb8cd317c760f49c700002
SHA512

bb3fdc719020cef88f357ac47d000386b5d622830e422f0d5d889259b3948163ae5ba38c46587fe00a5cd999e76c8bbc66d064b2bf8cbdd09e672ed13865f928
SSDEEP

768:W7BlphA7pARFbhL801VvM801Vvv7eniYfYx:W7ZhA7pApw03vR03vPQG

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaremr.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Input.Manipulations.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	cc3f880431522f049fcb5dbc5c316170N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc3f880431522f049fcb5dbc5c316170N.exe

C:\Users\Admin\AppData\Local\Temp\cc3f880431522f049fcb5dbc5c316170N.exe
"C:\Users\Admin\AppData\Local\Temp\cc3f880431522f049fcb5dbc5c316170N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
51KB

MD5
dce465c48b3132106b662e7fa340da81

SHA1
90ee4d6364ae56666a21cd1054d255a51c32970e

SHA256
2f8546b3b76809fb3ff1fd87ff3fdc0e7ed858b8033b9f9ccfef9b89ce4a4dea

SHA512
7f161e77499bb71f503729c4803dd3d08c70e59945b389d3f699205c744890a8e8a57457107d9c5ef8af99bf55c919fe87e8817fa89f36fd1fbe9fdff9e47578

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
94eabc5c135b029a6c9e40b058d24285

SHA1
70e3e8f80e6bba9b90802d2a60da714c1477fed0

SHA256
67a1a18523c167d1619fb4c27dad6b24783132f7ff081ef87fc5d631f671707f

SHA512
947131970e6328e4887dfc511b4094b531383d9685d0a22bd479ca5b26b85a6e813ae23d85530e2cad8402153c0f798c4be8aa9a7fd6f25c5623611deb478fbb

Download Submit