e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
Size

51KB
MD5

ee3f44f95123a1ec581a82431e4d8469
SHA1

b4b468f879c319a064e409695dd6f43cf9a0f623
SHA256

e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82
SHA512

78fdc73254d8e3c77a8fc7d99b77d689060fd277721e0161a7e566d626e24cd275ff32053e01d13f5a3cad6b82e9888c7bac18c56ef3c1b960ca092b7886c4e2
SSDEEP

1536:/7ZQpApdChFd7naVF5sQwyaqmChFd7naVF5sQwyaqA:9QWpR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\TellMeRuntime.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Xaml.resources.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sl.pak.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe

C:\Users\Admin\AppData\Local\Temp\e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe
"C:\Users\Admin\AppData\Local\Temp\e6978b7c2d09d792d4e01018508cc754d0184529312f28360e5977fdc7332d82.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
51KB

MD5
8532a3aa045528f29b0f2379f9215f5b

SHA1
8463396109393a983b3947ce83cf7eb76e542788

SHA256
63f7576cd35faf290aaf98b131d17683c9a505fb1f9dbc2471ca921b15112e16

SHA512
ff6110ad8a951f3f5dc1088fd68d1c74b7eb29ee35858674572a2d38069bf0fb82b88bf036e86e5e8363b4ca59dc444e0ec1fceb20181839f8ca097729c77944

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
a6a30c846232070f93939166abe6a0d1

SHA1
5df0555e748eec91c15144272753da90eed28945

SHA256
87c110917069f18f0e9856ac6ae887e0731644c2999917aa7912ab034ec9453f

SHA512
31bef21acb60c62908dcd9f0598fc3b1216fbc3785c7286a63c13aa5927829d223e96c54bb03bc8ede6a988107fd9a5e73a8ca83fac51fd10c2a89644b9729f1

Download Submit
memory/3964-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3964-898-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download