e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 06:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
Size

86KB
MD5

6aa15a2c8f2d325f89ba04cf95c8da30
SHA1

519e14b3cd5d476642a2cf778ed638d6749e71ee
SHA256

e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a
SHA512

cf41c318375826df36b7efd9e804690cbd430fc7b41feccefcb0738dfdcee80ff84543122140c377eaa44c8c340232e03f2428456a788d0bed623593a7aa6597
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+eTdsdYSWO:6e7WpMaxeb0CYJ97lEYNR73e+eBSWO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5026) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\Office16\SLERROR.XML.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoev.exe.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationUI.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\icudtl.dat.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\LICENSE.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe

C:\Users\Admin\AppData\Local\Temp\e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe
"C:\Users\Admin\AppData\Local\Temp\e9a4427d9ea3c5bfe298f3efb285900ea058dea147a2535dedd70a294cdbd23a.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2077438316-259605770-1264560426-1000\desktop.ini.tmp

Filesize
86KB

MD5
6fbeacb2b4a2d56a32271a146681fa96

SHA1
3af9ef755f4e0ab91593042aee5984280ea56b11

SHA256
5cfa9a85df369853b98d6d50de893a498da72b6840adfccc90eee86536c17bf9

SHA512
941b9e8c3f9507f5be801766286559682414008a91e58f519e974e9809a9808b2748c9e5189d4eac91f8b287dc2850b20b4657666c658af92c8cd56f92130f93

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
185KB

MD5
c68d83d2c286281f675a397cc7146b67

SHA1
eebb6151d02a78b0a7c7369ceda13cff2c9b9456

SHA256
2b86e15844d30fdc1c23ba9485894c427b8bbd78dc7a39b2bada1ae7d5c0def1

SHA512
da0757cf4d5911e52139b7624d909855037e09a863fd5e746c42c9dd15bc54b63af63a337701bebee1320b90a27cb69ef7406b05010894c875ebaf441195e5cb

Download Submit