fb1a311d80e857d979f6baa5ef700c77a6995f9ac588e95448cd26ee7c2dba14

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e07a9bdcad76aa47084360f521f24330N.exe
Size

43KB
MD5

e07a9bdcad76aa47084360f521f24330
SHA1

f135148a4d58de82e005d47586679589138b50ad
SHA256

fb1a311d80e857d979f6baa5ef700c77a6995f9ac588e95448cd26ee7c2dba14
SHA512

6cb82d5b5d818d49eb520c57a9c9ba829b6719a1e7a6b94bb96e68dc5d86c1dd63c352290f266029b9801d0ea6b4f370b0b4027fa94059a36545eb4bd0045fdb
SSDEEP

384:GBt7Br5xjL9A7AgA71Fbhvnqj7jU7ubTAgpbuvx10AaIdKB7ubTAgpbuvx10AaIV:W7BlphA7pARFbhL801VvM801Vvv7cY3

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4644) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationProvider.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.ILGeneration.dll.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Java\jdk-1.8\COPYRIGHT.tmp	e07a9bdcad76aa47084360f521f24330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp	e07a9bdcad76aa47084360f521f24330N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e07a9bdcad76aa47084360f521f24330N.exe

C:\Users\Admin\AppData\Local\Temp\e07a9bdcad76aa47084360f521f24330N.exe
"C:\Users\Admin\AppData\Local\Temp\e07a9bdcad76aa47084360f521f24330N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
43KB

MD5
4bdf33b0ab4890b76997675614804bf2

SHA1
b081c126e80d0d47e4673b729e7462b30c09a80d

SHA256
6d8ad7d22a658e7b038379c9b22256ecc9b2a0dab7c0ec463755df49c07e3baf

SHA512
2e6c8705dacae14756320b29afc6198a3d12509bfd54267d72ac9796d879ff9fb752d0341b7de152f553a5d8cc6de530ead7f7e06fcf86c3026e087444598eef

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
d97ed824213069a87ca841b00669430e

SHA1
62a9cadb1012b39a9de2cfbb6ea3b5076d1a76f5

SHA256
a627f70ba33b535e460677619505a2aa0540114c39afc2b44056346b93182e9a

SHA512
1167e7b6067c09baaf408787d14751ffe46f65eba5a73d49808d1d3ef72fe41f280f7a209a7edf3b836c126030c39927aa254ceb20264b0eec38db87e5a8b86f

Download Submit