5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 22:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
Size

50KB
MD5

b41c1d5b3c574409c32f85aa470a48a0
SHA1

49d1d0b0c48bd3c253b9d30169f1c509d8b053fe
SHA256

5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790
SHA512

a2aa6da4d2ef91479e1838b4e3fa0431a51c30cd11ffbedaa4ff2bf70c375a3effd2400b850dacc2d1fe45c2a63eb225cd78d790ba5c6c85373eb6432f5458f8
SSDEEP

768:W7BlphA7pARFbhL801VvM801VvcR2+lJtZ2+lJtSsLNZ:W7ZhA7pApw03vR03vcltdtSsLNZ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\CloseInvoke.wmx.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-oob.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationCore.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\ieinstal.exe.mui.tmp	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe

C:\Users\Admin\AppData\Local\Temp\5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe
"C:\Users\Admin\AppData\Local\Temp\5c5c7d92c1c1a92089fb4a6aef3c62563e2e8090453ec1d331b12dd4f4424790N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
50KB

MD5
5e5faceff7109ae5dc270c2a7dd2e8df

SHA1
27dc72de598aa755f8a980bcd33af2bf78b8dc76

SHA256
bb25d6d225255ca0f5890aadb4d5eadb053b4668aa6de5ce2ff40070ff9b6b0e

SHA512
4ef12204b4b206a7814fbcf9a4e65a30abe347955e3abe66d8d3269fefdf350b69d16165f83069ca0af4a6052dba5740a50de65a52c510fc246bdbb316ec7a16

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
8de12852a8cc0c8224e8ba8be7c8f282

SHA1
72cca75fc9eb9ff4d05269b90c2dd5048b17e5e0

SHA256
00b12f736998a22d0a0bdff6908158e744b0ae9a47265a5ad8413cff1eeb7780

SHA512
5b4f3bd602e51a55eaadd7204b2d0fd949284ba98fd8039e9700edf2e52adb2f44bff2aa4f12ed9d85914e57eb6367cbf587047e65fbb109e595318385087c63

Download Submit