ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
Size

43KB
MD5

caecf28240857a47c1d248a3432f97cd
SHA1

7152740e63afd217673259f1581ee8f53ebf47a0
SHA256

ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22
SHA512

ccd14c7b82d1083af4120cc83dcc8cc6957c74ccb82aac0353346a6dc5e889ecead324a38d01f1f343e92ee3a6d089dfe29a941cef0f683245ac14755a4defb5
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBN10wpAp/lvolGClvolGwTCus7sj0h3MM0h3MR:W7BlpppARFbhbt7Y7wTCg0hcM0hcR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5210) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsFormsIntegration.resources.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\msipc.dll.mui.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
File created	C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe.manifest.tmp	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe

C:\Users\Admin\AppData\Local\Temp\ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe
"C:\Users\Admin\AppData\Local\Temp\ead0b1be8a879a4a31445353d043717f4a59f4e5d8f6395ab6a840efa1e54a22.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
44KB

MD5
45e3cd886c8dcaa2ebf62219e9b4596c

SHA1
13fb2b590e7e962b9a9630429a31fc8467485a52

SHA256
c55f40d0f8581c90535a19a9d555d59ff28c10e49fe600fa5a7007aedaa40d2f

SHA512
6c705cb89fff5acfd7f02741edc6e85dc20ba2edc5978ddea64fc0ed1e252bf931f61faf0d2ff911e564cdbab3f599cc357710db89f0d436e1343f0b836f3e49

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
cdccb90081738b69227679e0ee5e8f54

SHA1
9f1b48235af05e07fe34f86e28004d934b849cfe

SHA256
4f7d695fc9f1899f786414a982b5868301af54cb8158c4b4e9fd46f42d143fc0

SHA512
1c51acb0649fb67d1cde26da295a92b6f6511e241101fd1272114d957d19724b72d9c41be536f2eb7f959aa21c97989dd5042ff2f28fe41c7ac9bcaa048ed6ee

Download Submit