e955af7c49b1548edaa781f60ae8dfcfeac1a5a624c4b0f771e0795f01bd61ac

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
Size

50KB
MD5

2e5eaafdfb958bf3f6a7f2c3672ed030
SHA1

0cfde6059a8baf47a5d2042bb3637959b89ac46c
SHA256

e955af7c49b1548edaa781f60ae8dfcfeac1a5a624c4b0f771e0795f01bd61ac
SHA512

a0f02dd9c9f921c0d47d95f873ef4ab9945926c0be05bc2f23c702710a8736f8cefa66b6d27ebf5229ca95aa9637dfb7ad8191dd36499fe87ac34bfa7beb5e0d
SSDEEP

384:GBt7Br5xjL9A7AgA71FbhvnIH2YsTKnKqtaW3WaEdW3WHY3SjSGNT:W7BlphA7pARFbhvOsTKnKqtkYi+GNT

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4529) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome.exe.sig.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\hi.pak.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationTypes.resources.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e5eaafdfb958bf3f6a7f2c3672ed030N.exe

C:\Users\Admin\AppData\Local\Temp\2e5eaafdfb958bf3f6a7f2c3672ed030N.exe
"C:\Users\Admin\AppData\Local\Temp\2e5eaafdfb958bf3f6a7f2c3672ed030N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-857544305-989156968-2929034274-1000\desktop.ini.tmp

Filesize
51KB

MD5
c3380296ba01782d60ad8c1ba80daf3c

SHA1
7dd5b717231de06fa1f4db9d206066803a63ee00

SHA256
e31fcdea6474e82730ae9a5aff85c151e38b88592f86ddf3f13440dd9de7ae74

SHA512
37140a900b16d46bfb098b318ae95cbc5e4e74e653c817f9563c6f79646ee4856d82696c7c5c42d3b1eb329a9088b95caa2e20bba0200212c74a6795ee79a2e3

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
89b66bc3e8e153c8fdfa3d7f33e1d1e8

SHA1
6d0c95be72a6e3ae277cc81ff8598aaeb81bf767

SHA256
b5407f4e5eeaf2ef97a78b49fa21769f9281efbde69b2a6704f01e4a8c118fd1

SHA512
8b8244c7178a9ee31f3043476618e63719c7d1072f2cf1123303cdd7a8278148fa654054f70e5225a2adb8f1e858e0992af6d93a8a4dd09a1fe4afd09cfe408f

Download Submit