e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
Size

87KB
MD5

473b023db6e0286853974a24b1ea7e85
SHA1

8cb92f767291f2571f9fda26bf625080874b50a0
SHA256

e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7
SHA512

3df779c0b8655a3cd338cd2c9e97c513c3b02dac7c7f4082ec713a3f58b2f3094d96c08870e03bb314e0ca271beb92dd6e769a755a4b652b9fb91cbde3ed86fd
SSDEEP

1536:W7ZhA7pApMaxB4b0CYJ97lEVqNR7Yge+ejy0Wjy0WzYk8/:6e7WpMaxeb0CYJ97lEYNR73e+eGGv8/

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (597) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\CompressImport.shtml.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe

C:\Users\Admin\AppData\Local\Temp\e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe
"C:\Users\Admin\AppData\Local\Temp\e831720fed20cd3a4485154dd0fb015dd65f127e03464db3521837fa5dffb8c7.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
87KB

MD5
9461b183f0743867e6dfdea944c039e1

SHA1
a11d7f29ffd9a2dcc541bcc0c3a9db598e9fdd08

SHA256
31446d2ac691605a5c173fc6b192ea1b2534680058e465e8ce5a714f4df0eaad

SHA512
d285e2f014cc418ca2153ceda9c6f54f4f77f99e88db95ba9dfe3471265dcfa260793c7d5dcc79a165be4545be1beb9fbb428f0dc69f3124a4d81bf9d03140bd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
96KB

MD5
b329e19be581f0680ebb7d751cce9824

SHA1
efda566b7be984c8e4605a84c1e335265b46b736

SHA256
06b886e5d622fe2fcf3f572d87b9609f30c1738ef161cc29d0b47f9a9a42680f

SHA512
b8aaa3190a202c1e4965ccd59c6803084369b5c44d76b980ca12e2e9008e96892dc7c7d18a5e96d84e0fb9ed920a5e64cca4de3fa0432a7f622f5b3c926671f2

Download Submit