e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
Size

51KB
MD5

8d87ee478edf2988dc88f8b4a621664a
SHA1

ce9b517dc49d9042288596c83261fc51b6eeeb19
SHA256

e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210
SHA512

3a6a1e57961ad92fd88e5ca3404d2b7b0464d5199be4add8a94f44c2b4e928fe3cdd31f8d221065fa3935eaa929abd29ca5bdf2e0b7904e151c81a3ffc3ea609
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzS5c5mxqORP+tY/8q8Q8drVIJqt4:/7BlpQpARFbhdS5c5mxqORgqu3Ft4

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsFormsIntegration.resources.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FREESCPT.TTF.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.tmp	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe

C:\Users\Admin\AppData\Local\Temp\e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe
"C:\Users\Admin\AppData\Local\Temp\e500d03eb3e48822d479ac6d685d7945e91175aa61ca9380b26605337124c210.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
51KB

MD5
4b50579823f17563eb3c549ab5246b69

SHA1
a1cc482a122b82e3eebc29427cf3568a696bfbaa

SHA256
8a67223b66cac44e2e371c48bbfd0d90336d41a38b6577f3efe4a5ce13ecfe6c

SHA512
df202ed3cbd7103074f9056ed6e8b3e7567bcc35f67b3e15e9a63e48e5c42d712162c0b1a66d86eb4cea56fcd5ce7dd61592f68357db828c952a14c50caf8821

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
2764df65f09d55dc75e729a37d4ee030

SHA1
f79def2f060292a8e1a24390f986233d20d71189

SHA256
dd0668e048f84683cbbea82046311e8cd60586b1e26ab3dc09163b48a4c8017f

SHA512
e273b4ee8d8488eac2a37a89d321a4b7e635ca41b4dc0e2e31fad3e6660625db05c97200c4b5d8b8a7c6be6ce506c1a305e1340dba805d2b63521a13743757d2

Download Submit
memory/2912-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2912-1954-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download