101c492358a14ba33a37a6998850fe4ed523dde2f20ba8bd822b0fe90f8ff3f6

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea4f589862b34155d46f9c184c8a30a0N.exe
Size

72KB
MD5

ea4f589862b34155d46f9c184c8a30a0
SHA1

bf6a495b39cc22a40cf3ae18bb8e95d8311f0660
SHA256

101c492358a14ba33a37a6998850fe4ed523dde2f20ba8bd822b0fe90f8ff3f6
SHA512

1c9eee52dd6b37a0896d241e30d60a61867ab7c8f464c2f996cc2308b1144eac3caf38a625cf6511b07b004e079dcd1ad826921054d5edbe04cbc5484f921ce3
SSDEEP

768:W7Blp+pARFbhtlmlQ3y3RWvf+wi1x9f+wi1xBTCcX8vgCcX8vSd5hdx8H:W7Z+pApfGQ3y3RWvfmRfm9sKsSd5C

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4639) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\BlockUninstall.mp3.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.DLL.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	ea4f589862b34155d46f9c184c8a30a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea4f589862b34155d46f9c184c8a30a0N.exe

C:\Users\Admin\AppData\Local\Temp\ea4f589862b34155d46f9c184c8a30a0N.exe
"C:\Users\Admin\AppData\Local\Temp\ea4f589862b34155d46f9c184c8a30a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
73KB

MD5
05b0e55f4b0e1bd06ec4e4880f0c2aee

SHA1
a29916b7cf3f819cf253e8ccb511dfec2b174f54

SHA256
09f2d3882a7cf38397b94875191277f03702e4b4a2a5bc630bce4a42bd7ff788

SHA512
9aedda39634f0334a0b0ae111508ef7bc523792248adb25ce278a5c714eb5aec840abd50596a58212478a0c7110dd339a58197d8ea5a6de05ff7e84741a7d6b8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
aecfbb524806d945487cd0d1f3adb07f

SHA1
dfad466b7132a550114e3a07a6903e8dcd59feff

SHA256
3d1463e54d56ed7afba64c47151294f611776b1fb31543f210b2b979e0971b4a

SHA512
ae15bb1bed1adcab80f51a9841b578a3bee736348096c201bc2ba8dc61482f7688cf7fabe3677c76ac4907a9592f1c3db9152df42a93398faf3e6e61887009c8

Download Submit