dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
Size

72KB
MD5

4df0fd34bb3eda870b3ec5b7a717f30a
SHA1

0fb764829bb2df28b783e9180e9a3e1e2513305e
SHA256

dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2
SHA512

b52ef3c74d5fc51627ddcb397ef2b6ab83ab0bc35ce9b8ae6a8061381bae2d850d9d119b2c653b5c722350f1943d30949ca06f2160cd491359abfc4f50fcbee3
SSDEEP

384:yBs7Br5xjL8AgA71FbhvJUfWGUfpa4ma4LGXnlGXnlYAE7/EZ:/7BlpQpARFbhiWbWYqY+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5137) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pl.pak.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.Vectors.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe

C:\Users\Admin\AppData\Local\Temp\dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe
"C:\Users\Admin\AppData\Local\Temp\dccfe83fc032333922fbaeac84ad7dc9d958b7468be83f52a4001b89ea69aab2.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
72KB

MD5
d1b58303d08329a39540d01114aeee68

SHA1
3d98393cf43adc0380ce1c88586dfa49fd22444c

SHA256
199e73d9be0c84f269e4de907ba18790e3c30856d1f802d8c50f8500148a36a9

SHA512
bf164a53d3a1540512e53c0ace6c0568880548648dd90a87e4ad72b73d590dc4de79628093f87fe748319f70a0c5d60f2f356bc366603ae2a7a633984e8a0b55

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
90c638285912ad519b1b2c807f27b423

SHA1
9484b7b3182940e7bf0ef2d59b4471d3463dcc6c

SHA256
2217a91ec1d71e15740f67ea1bdb63f6e121ae392867f842f287603c4b56532f

SHA512
13e92e07e40bbf88b2fd52ebede5926199dc4d5176d386a7e2ca33007ad638a1646b5cb339079384fefbc8217f4b64c34d9a1d387b8198d60d288dc827aff8bf

Download Submit
memory/3436-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3436-888-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download