37a0b92e7dc9ba39ebcbf6a616b68e8f0ec473adb049782f2fdff9d1a4213bdc

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 03:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e1c396e82aa7ebc9ddb156fadf1166c0N.exe
Size

42KB
MD5

e1c396e82aa7ebc9ddb156fadf1166c0
SHA1

cf577d52425e53224090f3948be1dca48ecdc144
SHA256

37a0b92e7dc9ba39ebcbf6a616b68e8f0ec473adb049782f2fdff9d1a4213bdc
SHA512

344c95274eec24f7545eefa80591abb0bdaa6c8866fedc990368df2235480e921eb23c554b56c3e0ce6407dac2c008aab22312b1e3bbd7531da7b056dc31d635
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLNdyGdy/a2ax:W7ZppApBULcfpHLcfpyDUdyGdyc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4633) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClient.resources.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	e1c396e82aa7ebc9ddb156fadf1166c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1c396e82aa7ebc9ddb156fadf1166c0N.exe

C:\Users\Admin\AppData\Local\Temp\e1c396e82aa7ebc9ddb156fadf1166c0N.exe
"C:\Users\Admin\AppData\Local\Temp\e1c396e82aa7ebc9ddb156fadf1166c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
43KB

MD5
ff874c50bf672671d577daff2ed7f6ac

SHA1
57ea103a80cd30d7a24ede811f6a5467004cd73b

SHA256
6feb85e8196f662a682fe2d8db93949307861aa6b988fdba44a2abf8ffcc825a

SHA512
2aae3b7d131d103689da9eb50c42bf9dfb47d3599d0fdf7f8de9361e5f8364a5a1f936d85f8fe6f13a314357123eab09f7f451a85634ec540d7a4c0559f1e3ba

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
155KB

MD5
4f0f2adb8a602b9ae181cd2be2aabace

SHA1
015e86f69bc55f57b9d754c841639e49279c5704

SHA256
a1173521ac15c0db8fb6fa16eb9e8c08eda082fa1f5f3ec2546a6e4371db533f

SHA512
e9261b6719b3ed543bca9561a65ce999f9fa1b0976537a1d0b1f0175aa09a3f5737a0f372a2f3cefd7ec81555e3f322c46a9cb495e6342f0d397d80ba30dbdab

Download Submit