eb2352be78d6e27b49a661d55104e24f3ef14d0e6d67fed43c3bdfbf49b4531b

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca1d06ac9123d95a554d8e086f929180N.exe
Size

44KB
MD5

ca1d06ac9123d95a554d8e086f929180
SHA1

47d5269f27647e5116d68abb399e6b364b36641a
SHA256

eb2352be78d6e27b49a661d55104e24f3ef14d0e6d67fed43c3bdfbf49b4531b
SHA512

f41f9240060b57a71fa2d48aae50b1fe8cf66d32505f1b52ed3912c8198fc09d5e0bba90d2908372cc8286e0bdfe84f6d0f00d74535179ef82375bb83cb73fb2
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFHOO:W7ZppApBULcfpHLcfpyDn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\EditDismount.ini.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	ca1d06ac9123d95a554d8e086f929180N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca1d06ac9123d95a554d8e086f929180N.exe

C:\Users\Admin\AppData\Local\Temp\ca1d06ac9123d95a554d8e086f929180N.exe
"C:\Users\Admin\AppData\Local\Temp\ca1d06ac9123d95a554d8e086f929180N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
45KB

MD5
9f003581acc029105620437e8d726f10

SHA1
12d01ee002df25c84b6ff521b0386614d3c52b93

SHA256
ad12c9a25db0a46abc1ff73a5a6a10ff6cbd2f0304f60062ed5f80b3013b5150

SHA512
355efa495ba4b5673d3051e0d561b828b6562ad7ce6c7f0e5729fd6bc9f9e5725f2677b8d371b06d571dab9f64b31968211857d62c9853e86ce1d0db86867386

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
b724f63b1685a340be51168b68ae6fcf

SHA1
2f612c1a8419ac4208f7d6fb6bdee5fa7575a965

SHA256
aa8402eb534cdcd5b05bc065b0db72067471ae3f26cd139aaf4e4862e6c44715

SHA512
107e32f641c21df4e470399960bb2a99ae8a6a39403f780970f7187b63a5fb140ac77d7886a0479af6ce8eaf378b7d034a1a42a1f3f355c308fe2af38be2a314

Download Submit