4529298ce3abb557ec1572a2a73e1bc74df0099bc7d144c3119b7038f288f295

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e628e6ed749476353d46e2d69c755950N.exe
Size

47KB
MD5

e628e6ed749476353d46e2d69c755950
SHA1

7ab808950645497822155f8c57b10c01c5fe5abe
SHA256

4529298ce3abb557ec1572a2a73e1bc74df0099bc7d144c3119b7038f288f295
SHA512

4fc304c8bd534fbcdcbddf8384cb9deb697267828776a89e06116d1ab97077ce499ae20d4c78c7bc9d6f9cf847779c1a064b79d7e9fb9ff268d274ec657b702d
SSDEEP

384:GBt7Br5xjL9A7AgA71Fbhvnqj7jU7ubTAgpbuvx10AaIdKB7ubTAgpbuvx10AaIH:W7BlphA7pARFbhL801VvM801Vvv7GqSC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4667) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ul-oob.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\tr.pak.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	e628e6ed749476353d46e2d69c755950N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	e628e6ed749476353d46e2d69c755950N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e628e6ed749476353d46e2d69c755950N.exe

C:\Users\Admin\AppData\Local\Temp\e628e6ed749476353d46e2d69c755950N.exe
"C:\Users\Admin\AppData\Local\Temp\e628e6ed749476353d46e2d69c755950N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
48KB

MD5
6b000da828ced6e8b490ddff16276c7f

SHA1
fcab79ce86a8a9f404b8f2fb8476fb473acf710a

SHA256
ff56bcb5518b2fc7279734b4b1473940680d086a0505ececdda9c1df0784d043

SHA512
67b46e168d2a74ebbfd26a6e0721b5d6596f5198cfdf7a6293fba6f70d71440cef9fbe428e888750571cbc1fd4fedec9a8246fd5c692dd108520d895e9ab565d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
9ec2a6447b45e6961ff106f06a440fe8

SHA1
c8f45000f5cfd22d634f0fd8048d239293f2e0ae

SHA256
c73e173ed61dd8c37bad0becd0b8432ba30b58accd2e73a6deecefe48b01041e

SHA512
de909c7adc3d511ade984ba895e247b3b2ef584333b38649b877cd25a8c1cde13fa79b3cf46b4c1647e5dd7e6681d569059be1c5bd2f09a1919b56cf09f6737d

Download Submit