cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcb

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 20:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
Size

81KB
MD5

db42fb94b828dab6ae4fa94d499934b0
SHA1

60015db29b4ba6c87c0572779b709247daeb4613
SHA256

cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcb
SHA512

ffb04a333dc930de4deff36ea7b31afc63f1bd9d63676f2da0b88a19af61cd77866d5fee92b80e53a6f195d8786343b57eb41d1ed87cbb8a68170e75e2f1faf9
SSDEEP

1536:W7ZDpApYbVK4vx4PN54PN4OHepOHeZSZWwhYWwhkN7lN76:6DWp7WBWwhYWwhqb2

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5003) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationProvider.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Algorithms.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe

C:\Users\Admin\AppData\Local\Temp\cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe
"C:\Users\Admin\AppData\Local\Temp\cd867bedc54ca53b35c56479a7d5f173012f9054c750a09a5bf6bf2f5b84ebcbN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

Filesize
81KB

MD5
5306fb321521a370731c98d14bc64766

SHA1
0c7540727f90d222924cbc3291506241a324e6bb

SHA256
ffcef3f1c8cb545839e733f261a3e1e2a3fc3f39dca1c91dba127f18a2c5efaf

SHA512
b940f70b9789a7c53df198518cf77faafdd5fcb9de631613670d66b008e1329998efb302f54569f10fc510afd490fc4658862e7ba0d2bb3709151f76051f8d3b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
180KB

MD5
f7e0c835ef63ca1f31a3acbaed17174d

SHA1
c15180c59901b0531d4dcf039a9780843504b350

SHA256
61d4ceab915c7711b120f5d9889afab4075477aa8b1a035b1d177e257865aef1

SHA512
fee1cc839fc2c52ccb4a8d2442a007f9a0bd872dc3ba6ba08a4e7b48d33a94b5abcd52a8145da96f17a036820e7d0c9d09326b142f8578d697375b88ee829ff6

Download Submit