22f8c23cda44363bebdd9dad7143489662d441cb687311146775d018194994ad

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e181a51c95709fabb7af17e3a3edcfe0N.exe
Size

73KB
MD5

e181a51c95709fabb7af17e3a3edcfe0
SHA1

f169d41f98e0f44e99d11ab04e551ea142300697
SHA256

22f8c23cda44363bebdd9dad7143489662d441cb687311146775d018194994ad
SHA512

636b8f85da2be3814b39a9a08f1b439573d3d6a71db6a1a40eb4083ba6872f2db116b809738c1e0cbdbb902ef57f01d4ea280b5707b0b3b3f85d68409021a1f6
SSDEEP

768:/7BlpQpARFbhWGUKBb4JxobNlAGAtgGnZGKgGnZGg:/7ZQpAp+KBpbNiB1

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4328) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\af.pak.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-BR.pak.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-phn.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationProvider.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	e181a51c95709fabb7af17e3a3edcfe0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e181a51c95709fabb7af17e3a3edcfe0N.exe

C:\Users\Admin\AppData\Local\Temp\e181a51c95709fabb7af17e3a3edcfe0N.exe
"C:\Users\Admin\AppData\Local\Temp\e181a51c95709fabb7af17e3a3edcfe0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:8
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
74KB

MD5
5a965101d6a4436f33b63575a7d9a0aa

SHA1
0e4df826cd8e520ba72368a33782185849b3b487

SHA256
6920dbe4667c963dd40193777a0cacb49f1ed3d1a737aee66f5ef24ca1f655d6

SHA512
d8f239392235f9bfea722e38b7f58ef8ca6a78818dece328ad564eab8d5fe3433393f3bee1698a6b466081d60710c0b0ddd35b4b1f60a7d03536cce87527388d

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
186KB

MD5
5e3aa7a261b3820a14b523b29c7997c4

SHA1
296bd6b07d03fb3c8708cc80505161b1e3033813

SHA256
885619f081f7a154f3efa4947946a67c4a59785f6aa16fd99e6c9f31b450af9b

SHA512
882508ffa7a3fad04fa3b87a84318bea78faea4f88d6d2e0d9530a7fdb3b47e90dde77a2f3922ceaf1f090d0676d75078ddb8ac960b1095adc129469dd5a103c

Download Submit
memory/316-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/316-808-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download