fd8658cfa7c0f2e8e30953c805e136739576c6a8a13ed382eb131cb714d3dc36

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eca01b8b0875eeca877e50281e989e40N.exe
Size

41KB
MD5

eca01b8b0875eeca877e50281e989e40
SHA1

0e37868399115934fade193923245a086fe7ed08
SHA256

fd8658cfa7c0f2e8e30953c805e136739576c6a8a13ed382eb131cb714d3dc36
SHA512

9621b82b218b6008ecddd6a924a778ce30551eaae8c861261b8443cbc73b483dbf1d6d97cb5e1987329fbb1fc9a8245e903b2f7239848087c0ec614eef78d3fd
SSDEEP

384:GBt7Br5xjL9A7AgA71Fbhvn+nDm0CAmmLg5Ms7spsZ8HYGkqvtJ+Jy:W7BlphA7pARFbhOm0CAbLg+sy

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationCore.resources.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp	eca01b8b0875eeca877e50281e989e40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp	eca01b8b0875eeca877e50281e989e40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eca01b8b0875eeca877e50281e989e40N.exe

C:\Users\Admin\AppData\Local\Temp\eca01b8b0875eeca877e50281e989e40N.exe
"C:\Users\Admin\AppData\Local\Temp\eca01b8b0875eeca877e50281e989e40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
41KB

MD5
1229e034ae80a6487e20bd77840dbaad

SHA1
82542a388940afc36cc0ce998b2536a4472499cd

SHA256
314ba1a7063f3c7598859fd805d7495355ef74628c20c117986cf12b9051ca5f

SHA512
4f0d5f4ebcb512722cd2d0c9398673390c26d859f7b92a8ec443b17f448146eccb8a026b5fea6b6ca377b446caac0288e5735679119f347b800d2a2969c88809

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
153KB

MD5
44e6090bb9d4a9e4e5486fbe824c1a7e

SHA1
444ae68a521e8fb6a43d1820119071202d91cd13

SHA256
b21f96fabce0a73f0cad54d0351d370c324d062526c3dc5cda3dcda08ca1058c

SHA512
20e1c58970c17ab5e2f3303e66db3dc648ea307a8cbb108640c627f0892f1b70f9af9f8560dc1174cb8b4380e53453135f7d8eab5d4d6e30356e834868792a8e

Download Submit