ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 04:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
Size

41KB
MD5

f58a256778841a8a885f9f9798e796b9
SHA1

5e45c93b93f7b077c99fae802af5cb78e7cab974
SHA256

ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0
SHA512

8e155aad07050a359db64a9dbb761afb76fca93094f6623392aadcc8944d62d8a0b476ef94cb82ec929f494cb9ec0ba99d44a76bc806931c8d0e8fe35e5d94e9
SSDEEP

384:yBs7Br5xjL8AgA71FbhvPvD4Qfxd4QfxI3V:/7BlpQpARFbh3vzfxRfxI3V

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5303) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALA.TTF.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODDBS.DLL.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe

C:\Users\Admin\AppData\Local\Temp\ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe
"C:\Users\Admin\AppData\Local\Temp\ea3c9e277182c009c38f0ad64cb22bc6b6c0bf3abb8ee1255eaee7b4312774d0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
41KB

MD5
325350f7064886db29bf4944e8e3e5cd

SHA1
f7973d5c599b23061d0deb22f7b4c0414a3c694e

SHA256
2ee1ab9c4709bd51df2b7acc0dea092b8db0e8a656f219b0810f5b670f63b447

SHA512
faca5e24b7797e3492291fbc20920962bd5df79c723ac85cd9e112b63a6457f288c670af7895c8a17f50c0e6341d321070a04d45b21231f19df5c85a6332c664

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
fe1322cb09bd67b48565178824d9d151

SHA1
866507be669a9701a292a9ec28f1a74846d37059

SHA256
484451932760f70aad4a0656de1439a2e589b94a9718a5c560c9f4b644514f1c

SHA512
4184d44e3784d565c81312d6183556b02ea625d3eda283a7328f19a67731435238fee2c1f0bcf5fd8789612cc9373454f24f9c9756bd9161965d43ec0bcca2bf

Download Submit
memory/4252-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4252-1974-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download