e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3

General

Target

e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
Size

65KB
MD5

e91f0d40e4b166a566dfe73b2000749c
SHA1

82180c0482986d74f9094e18ffcf7b9418a00294
SHA256

e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3
SHA512

7da99f2512f91a1688c7990d5c08ac19ab73bb87642f0030f8e59f9afd961dd1eae7729d150bcef71995f6d4a5fafa7c62a4a18914a350e548874cff956f0725
SSDEEP

768:W7Blp9pARFbhQSox/6Sox/ME4JAIAepE4JAIAeuDlmlQPc3f6Pc3f5TGotuMOiJd:W7Z9pApQESOHepOHe8G+6E65TGAN

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (1291) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clrgc.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.XmlDocument.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\PresentationUI.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Forms.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\UIAutomationTypes.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\ReachFramework.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Resources.Reader.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\WindowsFormsIntegration.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.Design.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Drawing.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.Tools.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Emit.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\UIAutomationClientSideProviders.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationClient.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.X509Certificates.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Web.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Xaml.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Memory.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationClientSideProviders.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\System.Windows.Forms.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Emit.Lightweight.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ValueTuple.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.0 (x64).swidtag.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Web.HttpUtility.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Input.Manipulations.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.FileSystem.Primitives.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.Linq.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Forms.Design.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationProvider.resources.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.FileSystem.Primitives.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebSockets.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Numerics.dll.tmp	e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe

C:\Users\Admin\AppData\Local\Temp\e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe
"C:\Users\Admin\AppData\Local\Temp\e385015a42e06f62968aefc3fb45b2fbaa1a04fd509d1035be3c013265f4e7e3.exe"
1⤵
- Drops file in Program Files directory
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini.tmp
Filesize
66KB

MD5
682271265c306b6a587a568dacb7908b

SHA1
cce3963c78d429ed1ac7fde4f06f5fbac5cfe5ba

SHA256
e2c38c42f01afcdb3e4f397a11703cd052995879d3d1ebcaa4eff7784fd4f22d

SHA512
9afe862fce3d0aabe9317f0182b0b8c8af95106fb2537d37f059e3d83ce8e9d9bd1e6be2e8530abb5e312322369a482057c6dbeaa970978ddd4a0c6cc66a153b

Download Submit
C:\libsmartscreen.dll.tmp
Filesize
65KB

MD5
f67cfda1f4d851325b7f0d8acd5404a8

SHA1
4db6faac8963e68d672c6f8f9dfcac7041ef6a45

SHA256
b0ae08a0c86ed73cdd0e97fae866a3f5042b9a4a35501c52c93ef61fe41cfb30

SHA512
11fc0b14efbb0584975060b026de27f38df5e278765f34dbd9df1d49a3ea1850311b12c1e228dc07fa320358e64727e7bfa775a63641405ee6f60c16970cf84f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads