58a0ec8974e4ded2d8c27bb0d2ba7260e836b0620bd220461bff541295acaa5b

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 19:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

edd0430c979033231567d7c6233cbcf0N.exe
Size

59KB
MD5

edd0430c979033231567d7c6233cbcf0
SHA1

0b3527f34c8a8f38c88b5588c8637052b39fd98c
SHA256

58a0ec8974e4ded2d8c27bb0d2ba7260e836b0620bd220461bff541295acaa5b
SHA512

0895a5d3b85fdce9fa2b5d0f7c33dbac6cac56e29c4c81fd49ffa610996fb5ff5fa125c5a17fb2c13b5482749cba9e5b00ce1533eabc6d10415cbeb90cfe3d2b
SSDEEP

768:W7BlphA7pARFbhvOsTKnKqtUK4F46OK4F46oMA88bRyvkijaTpA:W7ZhA7pApvOsOKjv46Ov46MbRsjaS

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4359) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationFramework.resources.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Xml.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-runtime-l1-1-0.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	edd0430c979033231567d7c6233cbcf0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	edd0430c979033231567d7c6233cbcf0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edd0430c979033231567d7c6233cbcf0N.exe

C:\Users\Admin\AppData\Local\Temp\edd0430c979033231567d7c6233cbcf0N.exe
"C:\Users\Admin\AppData\Local\Temp\edd0430c979033231567d7c6233cbcf0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1403246978-718555486-3105247137-1000\desktop.ini.tmp

Filesize
60KB

MD5
a3aad782146191b21411d17b1aee5d03

SHA1
11a72955a9b1a7fc5f549ab05957d7939e676e28

SHA256
d7ec4a35e4e7b9a56cf9cbf1d919afa3257b70d98b8e7d14974dabc6ab2e3171

SHA512
a4880afa4a9c2aa6bf8224f2e2f8a4ec162bab161bb307e99a34ea1cbcaf732c03ad398c69454ae0a68f04151bbe349cdc349b08727587f6f1b855b7ba1d1c8d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
158KB

MD5
36314bcb7cd6b75e4a3cda5305213719

SHA1
6f7b5e43dbcd97471a4504c82be18a123c06eeaa

SHA256
766af373e755cd85b035888d3f5e084115fc7c3bf427e47b57c4fea566125854

SHA512
5429ff3b6a55cfd0c013d0b0e77d7f5c978d72ede2d75b18b4768241d25b75f85568c3285cb6e669b77a652eee0225d5fd82f8eac2e832c87fac7343bf01ecd5

Download Submit