c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 01:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
Size

41KB
MD5

1d6c4478d68e5f357e9a73c1bc1ade73
SHA1

ddbe99ec6139abc3ecc3c61493751ac825c390d9
SHA256

c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2
SHA512

1ddb85edfbd75e5b5de6641106d0fa360eaa6aa502c954dc79a7349fedbfbf1d321e14b9bfc1475bc6f63287c4640cf4f19be6b221f09ce67725197a96e6100a
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/Fzzwz3ZsTZs85c5C7f:/7BlpQpARFbhNIuW85c5Q

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5210) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALAB.TTF.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe

C:\Users\Admin\AppData\Local\Temp\c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe
"C:\Users\Admin\AppData\Local\Temp\c9c8713856fcf462217da823884b2e56e9607896121fe7732fdb0a0e5a2f2ad2.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
41KB

MD5
a7cbc972f47efdbb231ac66883063816

SHA1
1728a37a120b8d275afe40dcf0a32df5db89cc4b

SHA256
bb2923494c41bc9bb98522140298b1788219f3bb2e8ecfacd459d4158920e4e2

SHA512
807f079e257a4680bc92e0bf064b839ae6dd9fd1d91d4fe1c7dddaf401bdfcdcc76f1f8f5d05a72498ce572bc30c7eead34f0e342e64253b2b4d68e9f3184cad

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
a43a7918f0052fa0ef891a4550ce0102

SHA1
1f23bacac5bf208e8ee321426b08a7cdac0075fa

SHA256
0addf5ff730e1b666705f3ef334a3e3b8ced250a228bc68ea1a8c47e4abb7b85

SHA512
c647c9e0a2aac399f15d68030fa5c151a6b931d14c0bc4138697c41d45e8b24f6e5fd91bf755fa9c69773e255b0eb936e7220a77a5676f80a5e2cab8615ef087

Download Submit
memory/4916-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4916-912-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download