2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
Size

36KB
MD5

c05b73c7c2db231b49586d8d255a8ffe
SHA1

f3ae3054419cdd2cc4a859f63f2881600a89820f
SHA256

2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae
SHA512

c10423b7de52a9d98742b3606a24aa11f1d604cf2f18d80cbe485a9eb5c5c13eda3256bd639eb831601d8d2e1c9a0876c047b70816d2913b65ecfaa8f846b480
SSDEEP

192:tACUADIY0Br5xjL/nassAgAQmP1oynLb22vyBX5HAug4j4fPUDN5HAug4j4fPUD1:GBt7Br5xjLvassAgA71FbhvYD/DMG

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2105) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.SystemEvents.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\DebugExit.htm.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\ja.pak.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationFramework.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\da.pak.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\SmallLogoCanary.png.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome.exe.sig.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe

C:\Users\Admin\AppData\Local\Temp\2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe
"C:\Users\Admin\AppData\Local\Temp\2e3111a1dba86adf96265e1f7cc4327c3ce080b7ca04e7c68bf49b6a84e34eae.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1176886754-713327781-2233697964-1000\desktop.ini.tmp

Filesize
36KB

MD5
84652d47577eddff3995e138a09e4438

SHA1
43322608ab52d48a05248cc986d7413ca2eabc5f

SHA256
e93f924b8780523a2f327988101e05b6c7c4a642180f689b69b7886a31446d90

SHA512
245de42d9e539cb46cc248cc67e063571200be1cd8d43e4133c0ea0cc92a41f39b6cced78c600f762fa8d4fced047ab3d395ecc1369b7bb77c94367343ff78b9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
df20488e3dd85f151c7e266262010227

SHA1
295f0d1aad472dff935c8e1a701ef761bc794bfa

SHA256
6eaed5c91c8c3cafa4541217e112014a8694d1434e5cf0178888d831e034c8d3

SHA512
7ec1519de7fec6f508bf1539b7fdad87e20bf7c809f39be39aa5065133e6f7c92a84d3ccc9cdd31ee5182a91097d975fa50486654a3d18cf0b00432d9eb0c12f

Download Submit