552efbb2c4721d3775594cbddfbfd1af183de3386653093780e00a13942a2f4b

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6009c7627269c67e684090933e2d20N.exe
Size

47KB
MD5

2e6009c7627269c67e684090933e2d20
SHA1

1ae9be5e9c6cecbfe0dbe3c1533ae7ab65b36736
SHA256

552efbb2c4721d3775594cbddfbfd1af183de3386653093780e00a13942a2f4b
SHA512

0ebe23ce782cb1c3413f0e7c09748f095919b01cc2d644d5dc35094c8ec41144d150cb54be077e4f63317d55bc417c5f2a966c67354a0a2164998b5ff66fac74
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3ojoPWjyjoPWj+jUDXV8gcjUDXV8g7VxaShOhs3bN6:W7Blp9pARFbhxwWjxjhOK3JjhOK3a

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\ReachFramework.resources.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp	2e6009c7627269c67e684090933e2d20N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e6009c7627269c67e684090933e2d20N.exe

C:\Users\Admin\AppData\Local\Temp\2e6009c7627269c67e684090933e2d20N.exe
"C:\Users\Admin\AppData\Local\Temp\2e6009c7627269c67e684090933e2d20N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
47KB

MD5
3f9bd0458c19fa805f164e4b366061b0

SHA1
8389078b2db83755c2c80fa183ae9f511ee08978

SHA256
aad018ae5adaccd67b588e33e4c68dc963269bd1f45cb922eeb118aabba82ffd

SHA512
19aabb23db500a62827549f4f61bab07901d3ecc32ec99acca71cf63b6c764e5d6c42c8e84495591130cd67e97ace1f7e13a3f5da2af9ea42e5a642777be70ea

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
94ad5a9ae345307382abfce41a109222

SHA1
fc357015b989d1a8b10fafc12c97818bb897fcf6

SHA256
52b1e3252e1ec1c2c11a29f548c4466a843af9306cec15dd1127dec2793ad48f

SHA512
45b3e31fc7cc39a5c1edb93dfd760ab004ef0d67ff78a02f1c77c9082ca5e14b2ed11a271da57c7298f59abb1c0751060c0630c2f70183736494f3d58a66738f

Download Submit