cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcb

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
Size

81KB
MD5

db42fb94b828dab6ae4fa94d499934b0
SHA1

60015db29b4ba6c87c0572779b709247daeb4613
SHA256

cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcb
SHA512

ffb04a333dc930de4deff36ea7b31afc63f1bd9d63676f2da0b88a19af61cd77866d5fee92b80e53a6f195d8786343b57eb41d1ed87cbb8a68170e75e2f1faf9
SSDEEP

1536:W7ZDpApYbVK4vx4PN54PN4OHepOHeZSZWwhYWwhkN7lN76:6DWp7WBWwhYWwhqb2

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4284) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ja.properties.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\ExportHide.xlsm.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Pkcs.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe

C:\Users\Admin\AppData\Local\Temp\cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
"C:\Users\Admin\AppData\Local\Temp\cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

Filesize
81KB

MD5
a3cf32c37912861edbd08a30343b237f

SHA1
d5186d150bc68e60307ad3a05f5132cc28e6e4cd

SHA256
e14ad6ae16a7db74119c42638a7dd9a05837de16463c75cbd052a6a6e7139da8

SHA512
cbd9b202549c66061c1bbbee36d8767573a71c1e665bc68bf8c0ec68be7bfd87f2a74ea367b2526bae156a7003218830c1fcd7ad98765914b5d8713091933d9c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
180KB

MD5
361ac15841e89ef8eadb543b9d42f7a1

SHA1
1c95efa364e6e649e7b5225f34a0d1df2a5426ef

SHA256
ae8fe477fcd2b17d18905cbbca5f26c9ce03d2a2d80a1759533f7cbd248e8be1

SHA512
4a9365e38c5c0e06b548ef8dca9cef4b7ff3c182589ec92ee161c82b6188660b55d6c61de4b19bc71d7c23d6898debb508e67087c586da44833e8aca26788b6f

Download Submit