c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903d

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 07:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
Size

41KB
MD5

cfd8c71848689147273a26ed5b4d5a50
SHA1

83de563b848717c068f7cfc21b9131c52ecb3694
SHA256

c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903d
SHA512

70b68f04a1d42c082e39a85cfa60f31d34c3182f406234b173c651a4f3930f84076ed8b1bb01bf1efa83b2a82c1d4e356a094f67d2ec148c52a4aee6bed39b77
SSDEEP

384:GBt7Br5xjLdbAAgA71FbhvU8g0U0fL+8t8YwTZg4l8PVl8PZmp5:W7Blp+pARFbhBgnKL+8t8NZEPAPZm

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pl.pak.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.dub.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJH.TTC.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe

C:\Users\Admin\AppData\Local\Temp\c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe
"C:\Users\Admin\AppData\Local\Temp\c3c538efdc4d848f2ac2f783c6103574f4081b4795ef800c0f79312c388f903dN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
41KB

MD5
b6c9c067489783348b44aa94d8431518

SHA1
5ed07f2427716df20f46a471fd2330c46704d4ce

SHA256
d38debb04ed96bc44af3db41b36350d39353a04c54b30a21ad32cc670651e1ba

SHA512
051c7f2e1d2691b363e8bf2a73e2b3cf585124c1b38a846f6d60a1e8a1211b78e4b8ef6a6e998f63580ee3510fe931673c70df8b19c6ab1993575740956748ca

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
6eae7c3ce6452cc49ae8c890aa462f29

SHA1
b2cbe9b498fee913376128ed66d5b3408039fbfe

SHA256
a7dca7d395f5eedc01bfbf234a8f1646652d97dfedc3dc967ec690146ed7a22f

SHA512
3f2169903d81e7b581643bcde14330ba26fce070c5095f39f32a3848853ae1072bb8a160c8afc9d2030941de45826441c051b16be39261f888279e22f18d5658

Download Submit