30bc8a53529e8fedb7bb2474981c436dd65542e6737c3876e30b3937bb287345

Analysis

max time kernel
119s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e8cc55165c0977bff130b8af4d85d50N.exe
Size

46KB
MD5

2e8cc55165c0977bff130b8af4d85d50
SHA1

217e3397c52f07bc71b4e9d509014e2d49b6d344
SHA256

30bc8a53529e8fedb7bb2474981c436dd65542e6737c3876e30b3937bb287345
SHA512

c18c436b822a9666466cfce727b231eb61069feb3876c8c28cf4b52462dc5524b4f60b6a55935b71eee6f7838a49daea914ad893fb9879daef1c4d7934bb0e97
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5loox4EOtiDJifox4EOtiDJi/Vox4ES:W7ZhA7pApM21LOA1LOl6o44424441tP

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4683) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\FindResolve.aifc.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fil.pak.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationCore.resources.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	2e8cc55165c0977bff130b8af4d85d50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e8cc55165c0977bff130b8af4d85d50N.exe

C:\Users\Admin\AppData\Local\Temp\2e8cc55165c0977bff130b8af4d85d50N.exe
"C:\Users\Admin\AppData\Local\Temp\2e8cc55165c0977bff130b8af4d85d50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
46KB

MD5
3b9f5eb4876058b6026fb36ff4fbc659

SHA1
0622d85d2e7cf9a7df4b882caa78841a1196a6f2

SHA256
e36c0e47f944e616221147394653c81d2f25f014c10b79778d893686489efc7b

SHA512
3d8586db95f80a031e983e710608d665900f1e84286e952c78f7abe4853891c1794a7555b3fa1a48dc34ed4cbea5260e173d8ea1ee2de609a11aa4400344a35b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
e0d6d96864fc0a8ead0b6925e4557a17

SHA1
b5d7adc3f8f565b487d116be4ed51001fd01b268

SHA256
ac4f06b0421f437dc7fadd71b535673255804464e4d00b520beafa899a602c84

SHA512
c59bc330dafd89cf609da543d84efea5f34af0f3be4b43fcd24ac16670353b086a7b9b39526387bfbb4366c5d4683c1f843d1d43c536f2d0ee43098ae7e1d235

Download Submit