c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
Size

73KB
MD5

1c2f5ac2c43ff3ef54ff355e52c4e890
SHA1

4fc804ec2c011d26b982f5748ded95d47500240c
SHA256

c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336
SHA512

51c2c31d4e3299885041677a48483c509dcf440148c4c803e4ab8f5eaa41d894f97f98eaa827aebf5954e6f835fa15d408719b4783dd7af01a870f1c0d2574d4
SSDEEP

1536:W7Z2sspApkZrZ4+fU7lK1lKT8/8yNCNzdwEbdwEG:62ssWpcU7lK1lKgkG

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4639) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140_1.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ppd.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe

C:\Users\Admin\AppData\Local\Temp\c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe
"C:\Users\Admin\AppData\Local\Temp\c99e89eb159772d55c13c2bb33aadb50d55eaeb8f11a7c8d6771067fedf76336N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
73KB

MD5
d2270fdd7ff072c30cd9918972e671c5

SHA1
ac37b27a653928ec03fb0755ff4f86c901a8c283

SHA256
7363b899fae19aa1563da2253c2149ca07d7e543b9dd143a6162a505a1ee58a2

SHA512
7018d6ad920fe900b81b916be7c6ca022860eb7c2103460434fe8c243a04ab1295ffeb291bd0ec69341656ffa68d9f66e6dba131f04c73bee6dfc4eb52d55fd6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
172KB

MD5
90460ae229dbf60850ac238ce36714b0

SHA1
fe3f20863e7a2ed0b007568dfe3ef1f210af684d

SHA256
409463d5298822a3635224a76aa1e3bd9d4cd554bca66a777be7958191fa3f3a

SHA512
c17db2cba2c6bfcecbd1f8d61af48a1e4ad04ff506c5cf1b3e1b1f3dc1116dd16c6a6e3e153f083f2e9a4565d9f5901afe4907dcb9e0035f51f93afcdceb2c33

Download Submit