e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
Size

210KB
MD5

fc2dffeddf003fc5f7121240b0211aea
SHA1

9fe27311abead35eeae291ce31f80619cd7d3b83
SHA256

e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2
SHA512

d07b9b8c82da81bcc13416e5173cb2a73e06ef2efe90979a2322fc9cbb0358544b935821df2e753c159f838fbaaddef7909e4325b2f887086489cffc1e05ec91
SSDEEP

3072:6e7WpMNca3rytOkWpXfnYRl2l5QXTfocVq8DPWQitNt0WgrHh3XGdR:RqKB+tOkWKR0nQjgejWQitNt0W0HeR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4728) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemCore.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2native.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Brotli.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsBase.resources.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Channels.dll.tmp	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe

C:\Users\Admin\AppData\Local\Temp\e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe
"C:\Users\Admin\AppData\Local\Temp\e5b7962bdabb438a2b4b0df7061f641a301d1a51cd9044e710aa21deaabce7c2.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
211KB

MD5
87c2c7849931a85099fcc9ec728902a9

SHA1
c20b9c5708eff0cb21d4174c1da739e1953fc522

SHA256
a9456ebee81b969a31edda811412474df7f0b9af26bab53ac69a4c64b897cdd2

SHA512
634f0caf26439227dc278052177085bd554fd53675755d5572a6a3741f334f26d4a138c3dda4f0ffb500e17e4f4495dcb9b3e0e76097425adc4fca35205656f2

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
309KB

MD5
a19463c459bce127e92d7b1ce9d65cc1

SHA1
93c9a6e221f5a4950d34298c06889c6d699dcaa5

SHA256
42cfb618c0196ed9f6f8dbddc0825bd7c095398610860b37287c6a481333de86

SHA512
1fc384bf847d313eee3e7f2dd3415d3084cfe3f33c2dd6820832eed85ea00a228f405140f529feec3b120cfcb8b0b7e1fa16e07f216bb5c700fafb2fce245702

Download Submit