18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
Size

88KB
MD5

20c4e634d50229d9d9c799d98ca7c249
SHA1

1d19028c91b2cf1463c3b2651395ef2a8a107b6d
SHA256

18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d
SHA512

e50f100ef2637d42fc947a3ca50b1dc98df6ce087cf32fdac1cf6443255824035949c15402e488649accbf73e4bfc7eb3ecb4bf3087be1ff1e6652244c7d65fa
SSDEEP

768:W7BlpDpARFbhYQkQjjIXYvPXzWPXzK3733uF4V7en5c5HChCrmhyEXBwzEXBwujh:W7ZDpApYbWjIoPyPoLzV7c6ShT6s

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\es-419.pak.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationFramework.resources.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jdk-1.8\lib\dt.jar.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Google\Chrome\Application\debug.log.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Input.Manipulations.resources.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe

C:\Users\Admin\AppData\Local\Temp\18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe
"C:\Users\Admin\AppData\Local\Temp\18e2ea78f9ed4be346dad244c4c3543e2cd20682296287e74cfd6801ea76557d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\desktop.ini.tmp

Filesize
89KB

MD5
9dbdea8159c1018f0d3f79e3b7c1a451

SHA1
c21648db6d19c19adb3eb887cdbd429abe85bc05

SHA256
8b2fe9fe1aa981103cbae7fe3a12c5d42d12d8358ec97545d722b7638df9ebcf

SHA512
467a9b7088d97c19f322dfd00f540d782264fc06b97ab4b4fc80c7cc9c1116ee29d34447159ce18c9d60aaf4f5f7dfca39756988b608848b6930727069b44fbe

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
188KB

MD5
1c22772ccd813efb59d4b2e28eaefb5e

SHA1
a8f20af7772b88b617919bc3464dfb6d919f5548

SHA256
2b5a99bce192e51c77cd52397419a4353aa5c332aa41cb9d382f9395619cda39

SHA512
3036b071eb44a3b6d3fe483dbe2f448ce4b2d5d5b3de5d981fdce6302c90d21a987aa2c6b96dfd4e6a2e8ec4501cab8c28af1b4e150f224d8f6a0a640ff6e604

Download Submit