14f8091146b9f07c15d7fce4d16387037561c35b7ada9bb20dfe2c73e1bf7562

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5b62a3d73316b9fb34f32d34d8acb80N.exe
Size

89KB
MD5

e5b62a3d73316b9fb34f32d34d8acb80
SHA1

3483469376667c445a6673cdaf2c88e5de3ceacf
SHA256

14f8091146b9f07c15d7fce4d16387037561c35b7ada9bb20dfe2c73e1bf7562
SHA512

1b142d407fad6fea8823fe208812d3dbc270b06f4cce2c5ce0908b34674aa4aa8580202c097dab1de544854f7837dea010f13573ce26f02af734b82f87eb3324
SSDEEP

768:/7BlpQpARFbhiWb8naOnaBGNB3NIw3NIH+3m0mv:/7ZQpAp/Eaiau3NIw3NI2m0mv

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4362) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.DataContractSerialization.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Input.Manipulations.resources.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.DataContractSerialization.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.DispatchProxy.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_font.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	e5b62a3d73316b9fb34f32d34d8acb80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5b62a3d73316b9fb34f32d34d8acb80N.exe

C:\Users\Admin\AppData\Local\Temp\e5b62a3d73316b9fb34f32d34d8acb80N.exe
"C:\Users\Admin\AppData\Local\Temp\e5b62a3d73316b9fb34f32d34d8acb80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
89KB

MD5
33e61ed8faecbdd6aa203c6cf30fd616

SHA1
8b1ed5aa88416e127de4acf55b24da81a5c5b3b3

SHA256
0b79a4f6a9f64d4eea4217f4054052b16200de645279a6590c70d93c8da8e76a

SHA512
c32672b40a9d74c6bfb360b95da656b5bd35ba223de08eec2545c994712f10656179c908bb33ecf385f8222d5a51a0d9172a1dc03250b91f8939f3d6df61a0aa

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
188KB

MD5
3dc84b9c5e5d2dc215c54d747b76482e

SHA1
23405e6c042855d3bb04795fc1d30bed4d85956a

SHA256
d1429d2a71fb7f59beec12d2170217d5eaf90156929418c30f9f903665358902

SHA512
73cbd6361119228d3344dc20aab86039bbcb81855209ccba057b64ce05f8a1d13a50e49abf8bc8fc891e7149b5a29d12f96ef70f2486a4f84fddfdbabf8ddb13

Download Submit
memory/5044-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5044-784-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download