c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
Size

53KB
MD5

8bade80885a7c603f67b9b48d52a72a0
SHA1

83a6659bf8125c99210b9f1eab4e26bba40fdfb5
SHA256

c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1
SHA512

818d5d32fa05ec2ca866278e847ac005dd2ab56efb3c72471ac84f0481e06b54a9140e1ba9b3b9f4a61d392f2600cc47cb9291794ae8df40241647a4f18f0c31
SSDEEP

1536:W7ZhA7pApM21LOA1LOl6Aj8Tu8T1Rxew2wT9v:6e7WpMgLOiLOAew2wT9v

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4622) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\EnableStop.bmp.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\external_extensions.json.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Extensions.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CLVWINTL.DLL.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe

C:\Users\Admin\AppData\Local\Temp\c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe
"C:\Users\Admin\AppData\Local\Temp\c27c3ef5cc833c4a3fefaeb469c1a05c2203e5121855b943e5ac5d486ed327c1N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4176,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
54KB

MD5
a5851547d4cd386b85b2eab3f754fbff

SHA1
4d812d4c7e4b4c974cd58a2e4f9e8a2d65ef567d

SHA256
49140a825c51540f17952818bacdc971474b573c35599598028ae01e2135afbb

SHA512
19111785d456a4f9cdf9ee3f1848850f9d88f6b36f5eb5eecdf00382f5dd530cef63ff21801bee35f6579173ad8beb17e01f9da02ef29b56b20d5c1d4ff4a4f9

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
166KB

MD5
a372476f57bed6253139c0cb95cd474b

SHA1
76a6f79485e427326cc90e0898db1c40d48fc6dc

SHA256
1a78d6e8eb07667b43db96bdcb6c5babe4d77ed07acd6cab93a064e0b1abca35

SHA512
1c14f2c7e2cebeb0fb2252002d6fc21df9964a3a49ce4c6f32669cfaa30cd78503459f7e9a29fa6521f9773859d9401fb276f3742553741de41e5673db906956

Download Submit