e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
Size

231KB
MD5

41cbf5bdb3b613317d2e7f78175c5d51
SHA1

18471178d4daa0f96d4b20563acc54223f46ad73
SHA256

e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c
SHA512

3a464ca6e2f061b8eee082b9938823f93045218c24dbc3251b1fdc6a4013cc132544a6f2f31e355ff2f3973f4c4bbcc0cfb71e35133a964e9de69a375a3f1079
SSDEEP

768:W7BlphA7pARFbhKKVeIuKVeIBt+OKObYhnKhnZS+2w4Vqx0VqxzFtF2TZE:W7ZhA7pApBt+OKOsZKZZSjw4Vc0Vcb

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4726) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationUI.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jdk-1.8\release.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe

C:\Users\Admin\AppData\Local\Temp\e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe
"C:\Users\Admin\AppData\Local\Temp\e62845dc1cc79d2efdf3684651f5a211a502aac909ab5ea0e0552c3944d1886c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
231KB

MD5
0c344144593f0013bd5a0c9d85facbf5

SHA1
ea7c5a3e5d93729aeb850f459665b22719877d13

SHA256
78b08c8c1338347927a4578db1d2861f7458de2d122823e4997655e09f0f7d32

SHA512
0afdd35cf1f01a6faeae6e19f729e7b3a74d695835ecb59b62af069abf970205f94a9905be02d0f8bf440c4c0e502efbfa20072fe6f9dd0f46ef7858539100d7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
330KB

MD5
94804c3c2e8cac572a300f0937f38438

SHA1
cb9bc9aef844b19abaf87a9abb1fcfa22ab20995

SHA256
21bc174ba3c891f9cc1273cb7ff8cf4a2151088bb52e349b15a217a61a77dc48

SHA512
c5637a36852caa90cbbd5117b82f32723a5e0a4dfef4a0d8254fe6fd78af06048900136bed1c21e1818ba02f13423fff2197ec414f0fe45f028602e7335dc139

Download Submit