9c79d2cdb787643be1fbae43de9f76ce3a2a32db033c01c6c4d8e537233e76c5

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e90676b34d8c62fb1a4dbe557c51ca10N.exe
Size

41KB
MD5

e90676b34d8c62fb1a4dbe557c51ca10
SHA1

c46acf256846a59fa585158c2b467f97f2d1ebf5
SHA256

9c79d2cdb787643be1fbae43de9f76ce3a2a32db033c01c6c4d8e537233e76c5
SHA512

d4999d27be14df8989103dbd8d3a2fcfb05c8586f49791ae8e93df3d5ae7b252ef0858019629133a8b9546fd5c613d1c29a63bcfde84afc480b3e85a28f9d661
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lsSsr+rF:W7ZhA7pApM21LOA1LOl6vSsr+rF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClient.resources.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	e90676b34d8c62fb1a4dbe557c51ca10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e90676b34d8c62fb1a4dbe557c51ca10N.exe

C:\Users\Admin\AppData\Local\Temp\e90676b34d8c62fb1a4dbe557c51ca10N.exe
"C:\Users\Admin\AppData\Local\Temp\e90676b34d8c62fb1a4dbe557c51ca10N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
41KB

MD5
a67a567e1fc3b8d3769c0ace9487f8ab

SHA1
8e3b42037500781d86e4c311f645b4fee0129ca2

SHA256
a128fcfc6a94ae03b45780ab7f4bf9c691d000f098e3054b85ad9facf9098b06

SHA512
982dda78add0113d901174e1de3819be34c7fa4e8fdbdc1a7ce20fcc4163ad0a1b1f03ebc31891859cd81dcc42536754896b8cf1f8a5d760188b5f50cb894a5b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
fe00cc4bfa912a16e7462578a36b1357

SHA1
eefd54b53170cd4848307b0fb502a3ec33ecbc8a

SHA256
ae31c2c5d2351aee3f8b58b14ebd25f63f2efc27a4eec6f032bf379720505a7b

SHA512
f6b2e97706acb3dd6e158cb7ac47b88f6e1b20ebba448a7ccf1ca2c34478c1d6a5e7769183e474722c7fd5b6feb98bffaf0cbebeb750a4cf6554022058661af3

Download Submit