e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
Size

111KB
MD5

86d97f04a6884d307cd2aff1c60db9c5
SHA1

0d41ccbe52fce45034b8216ae3d6fc7fe62667b7
SHA256

e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68
SHA512

c067f9b8ad1a4d5dab735ccf66c764fcf2e04cd721db03fd591b5014ae41f10733f6e000d62a073659511bfe537f19904498399e702f5db94ab6c2d77e5c41c1
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyBo:PqFF2Ie+effyu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4860) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul-oob.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationTypes.resources.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hu\msipc.dll.mui.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe

C:\Users\Admin\AppData\Local\Temp\e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe
"C:\Users\Admin\AppData\Local\Temp\e8234ae9530e895553c1fb4ac4f0d2a5e39742e39e99555f9c650c35562e4f68.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
111KB

MD5
b2752eeeacb4451fc13c3867f8c628aa

SHA1
20cebe7e9f835fa0ef1e2324ba944ab756a90175

SHA256
686d34154e92f88e7f0238d24b0254876b8a24840c10d5c9f370d69ad3fa9493

SHA512
4562616dc2cab3bc4c2b3c10af590f26fa311ccf05534c7460798e311403769ebbb6506f1a1edd42c84c8c9d66c9c905e12b1c1c026a692a1603f29f2d3f9e8e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
210KB

MD5
20637d5695e762440d9c63032efb39bc

SHA1
5383c05fd8ca59b4daa4888d0a6bc92970130457

SHA256
4c46c6ddd7aef2737eb825399e11ede0ad84fec1a9079ad79658e46d27ba1d33

SHA512
77e284d269cd07b98f3845602607254d9830ac40603d28f3972bc21d800f300d01bea6d7e7596cb848ff41d403139fab8c6c66da132a4eae9bbd57e377f16ee9

Download Submit