1ec8f6fbb612bdb542b6d264fb935fcd6bce3c824a7b9f6dc210a46c43d72d6d

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e6e320a0da7862d73490a7c0e1bd8c0N.exe
Size

39KB
MD5

1e6e320a0da7862d73490a7c0e1bd8c0
SHA1

afe7938f372fb02a7c8277fa48f19369502823ed
SHA256

1ec8f6fbb612bdb542b6d264fb935fcd6bce3c824a7b9f6dc210a46c43d72d6d
SHA512

40d0592a976448956f0fb1ced6cb0455c18e2b1a760ab9bd75aabc4c587d2e764e61aa1d40b831eda02305181837db6d5973854768bb0ec42ec01d8759ab141a
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLm:W7ZppApBULcfpHLcfpyDh

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4649) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Loader.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\vi.pak.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	1e6e320a0da7862d73490a7c0e1bd8c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e6e320a0da7862d73490a7c0e1bd8c0N.exe

C:\Users\Admin\AppData\Local\Temp\1e6e320a0da7862d73490a7c0e1bd8c0N.exe
"C:\Users\Admin\AppData\Local\Temp\1e6e320a0da7862d73490a7c0e1bd8c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
39KB

MD5
90113adf98e1000c7936235ceb3d22fe

SHA1
adda1fb05689b5cdd60b875495a3415c1652d6e9

SHA256
35e540e38f8f4f738325029441a0b84ce93bdb5555b4749a4025c3b4a7c8333e

SHA512
31bccea9e4dcb5d0e401a29d32db42feb67ab80b2556d6b28988a3a8e0d49aae9c3a234b7a61424bc4ff857eabc72804c0414e802c41377744c33383365a9bdc

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
f4e66c99d0e49d6a7e009288dceeb0ad

SHA1
691b378be523f6bf86ca2cb040d92203d96c374a

SHA256
d600956ab8e8b754f308b8d5a4568ddba8f9e7a47bc5b957e64b9dd198cd24cf

SHA512
7b395b3611ee41950d322ee62ae018e05e285e02c940e8e124ed91d034324b8cd5a6b05b031fba7aa7b4268df60b47ed7f5523f35256536d258c572984ddba17

Download Submit