cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634b

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
Size

39KB
MD5

98246f1cbf78ad3dfbf87f632dfdc140
SHA1

5b8780ab47bbbd58796fafba2d18d5a0a63cf822
SHA256

cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634b
SHA512

fc0e9c3ca65bfdd2998cf5953d0881f5eca41f294f3416db512e0c83a398cc54cbae9684fd47d26fc551133bcc885986ebdefb6649a36789f793e38d9fd37ced
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpdj+/:W7ZppApBULcfpHLcfpQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4672) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationTypes.resources.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\C2R64.dll.tmp	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe

C:\Users\Admin\AppData\Local\Temp\cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe
"C:\Users\Admin\AppData\Local\Temp\cf7155839427189fd028677e319191eacfd161c568c96262097815c9ddf2634bN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
39KB

MD5
7f6add23a2fe042dda824b3e9a9497ff

SHA1
1c2c3ec8f4a72e9a3cec12f3b231b695c3a29e66

SHA256
ac4a8bb0db84c9771d896ea68915eafdda438e26f7673069000e76557fa7b78d

SHA512
a00d4c19e1e694e7e4abd26a6e8d6c9060c66834a499882a0b291d42081f6a799e755ef087305d081f6c7072eed6e683be8f7c03112b2752fbf3ce2abefde326

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
62ce0079e37f63e0ebe4f86562c3ea93

SHA1
be958f55bf30765d20736be76fbf74a5746e7584

SHA256
52e36c7b31e96c578602409460a43277daebd41494b71f33773c17715ba407cc

SHA512
070469d69dbcd38274bd8197ad5363c8f101cd75be61494a92b8cb3e21730976489f61b206a4aa38f4fcbff22766da69dba1937f031a2b716254fd4132f55139

Download Submit