cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
Size

65KB
MD5

65ec6472724f806f6c4500ea8aa36423
SHA1

f639131ddc8545c16ed9c8deb230f1d4b9345cc9
SHA256

cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a
SHA512

9af35f42a62e4466b6508ef90be499b913dcd6e27949641d9f1743ddd81cef5e8d9c3ae9d2869224c6253b5abc20cb7605de226042cc12d6ffba5dcb6e40551c
SSDEEP

1536:W7ZrpApojswv0EhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsoa:6rWpcsHEhLfyBtPf50FWkFpPDze/qFsn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4102) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jre-1.8\bin\hprof.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jre-1.8\Welcome.html.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe

C:\Users\Admin\AppData\Local\Temp\cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe
"C:\Users\Admin\AppData\Local\Temp\cc883a126c81326b05ce1e166dbded4264805da6ecf3e7adc9bd815dc497ac9a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

Filesize
65KB

MD5
3c2bb36add0ebc699c797df1874f80d0

SHA1
5ec4375e3e78c264a9161ffaa336c8ea54da410b

SHA256
854c0ece11f94a09c6c651a3621be38822e265f2ca90337536ba7db298a92a45

SHA512
406e244861ce8ab768002f489f5c4a4ace0c02d4b6f8ab9eda4f4c1152b905dafefb51cee16cb5f51c735e5bffaac359bd2df7cd7868fbac0388990708994c79

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
164KB

MD5
6d23b4b67c55e6120fde7dc158e350a7

SHA1
2b7ce2bcff7ed89ea9bee11ef1560d0b14bd12be

SHA256
4ed6022b979a846a67271753ce3d2c6195ec53dc09e19fe76366b14d1b60d57c

SHA512
005935c86d83a5bf98ef6076e735a6175b0059eb0428bd6111c921efc40907c04d9f6110f3cacd9b15f3afc8190a85962d2facc15c3700e31a8e364b68f19fbd

Download Submit