3c8a47d07c42227c38abfcf71925bfa35e290b0c104a21772742774b102eaebf

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e28359b6db4e9d392b5d87fa7785a210N.exe
Size

43KB
MD5

e28359b6db4e9d392b5d87fa7785a210
SHA1

2ef70d108b7853679b799fb859b5fda9a33841fa
SHA256

3c8a47d07c42227c38abfcf71925bfa35e290b0c104a21772742774b102eaebf
SHA512

7ae8ba998eed916b96356fe3b4c0b0a1faba3b772f2fe4d2e0e3762bb763e521d1800848e10edeff4b1d89920907696e53cd3e9898b557b601b85ff339fc26f8
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzHqK66CPK66CR262X:/7BlpQpARFbhNI3NCSNCRhs

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4659) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClient.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Design.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	e28359b6db4e9d392b5d87fa7785a210N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e28359b6db4e9d392b5d87fa7785a210N.exe

C:\Users\Admin\AppData\Local\Temp\e28359b6db4e9d392b5d87fa7785a210N.exe
"C:\Users\Admin\AppData\Local\Temp\e28359b6db4e9d392b5d87fa7785a210N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
43KB

MD5
8066823cf73f2c3f5951826d2db0a646

SHA1
c5581cdddbe1c1be0de791c83e84df27f060898b

SHA256
261113d4e1a0494b9dcc2d6fdb4b01e12a8a1b68586794e25393cb17c37b93fa

SHA512
6998bfbf8ca948f902b342d7a77fb2374fa91dc1cb2b2597d572c5eff6b7e03b8a2b51682eaf6c4041313ed415ef8430dc586e9c0b5e535b47d71d60ecf0288c

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
6385d396e6b5ceb072c982dc7b28ca28

SHA1
e1824edb6ff843e2f28cda73b890fd8d6f54e56a

SHA256
d6f0e6cbc76f3859b9fd93a41f0dec66714c6494f5ddb0430e7ca9c53eca30a7

SHA512
52fc89998919d630a98318dd6db96dcd03c610bfb7a0fd5f439f1857970c9c4bb3a88adfc5c40988e22e4640a667e4aa0462237c695a4228334e2640b48475c3

Download Submit
memory/4160-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4160-966-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download