0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
Size

53KB
MD5

1d8ab6535ec98220ef6a9644d749d490
SHA1

d63c798ef68c6c8914f9584722bf1a22fc22fe7b
SHA256

0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1
SHA512

ad1fa1d4066e3efe4358691e0e17154a751c7772cb6e89c4c8622aaf02752f5d4fefc3f885aceea61366c14dcd6140a01fb9afa515cfe10b09e3beb94d9f01c9
SSDEEP

768:W7BlphA7dASbSjJJcbQbf1Oti1JGBQOOiQJhATBWvyBh85c5FpIci1xupIci1xU:W7ZhA7dABJJZENTBWv367WrCWro

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4639) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationFramework.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Controls.Ribbon.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe

C:\Users\Admin\AppData\Local\Temp\0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe
"C:\Users\Admin\AppData\Local\Temp\0c7ad117190f1510708ee7cac9a8e3a95a4f74f80cad142b6410d3b8023ac3a1N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
53KB

MD5
ce4198dd102afe266be508b195f0190e

SHA1
4bd325573bcc74b534eec334d0eadfa6552ea91e

SHA256
ff34a2af137dc0ea9adb7f41dd8076343b1036589c4904839ec497c02950e69a

SHA512
5d2770476802fc545d936811aae41a804acc2011dbf075419a5fcd92a998da072b8617d0495a7956b45cf38901b97dad769eaf3794eda00149f9880f9bcdda4c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
af7347f4e1fca9f0db18f6657c212dcd

SHA1
69ec617aa0fe1413c69ad7c1b50cde2ec9f12803

SHA256
38506fd910d24ad62ccefdb5239b041ad97a5267cdfe1033ebad7d92882bad58

SHA512
ce7d34f6abe94b75a94edcbfc107179058c6621b535fc257f870bb26b34b45b2ef6c16edb558d1a996f6262ddafa7804d53c2d82433cb0a4777fbaa72fef7413

Download Submit