833c31e58b459058b6f5aa0588454a2c28854242aa9a5f45d287a4a9cd990ee7

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e58e52eb424c20f49307c6912d1cea60N.exe
Size

238KB
MD5

e58e52eb424c20f49307c6912d1cea60
SHA1

0e10fa6b548e589fcb45ddb3afc18737d342e345
SHA256

833c31e58b459058b6f5aa0588454a2c28854242aa9a5f45d287a4a9cd990ee7
SHA512

74656e5d742caf7891b5c7703d27ad713d3de123143ce3432ce5e631ccd7dd3cd0225b5c6515d8c9b8448a9bdfc15f4cb432771e2ab02c0121da5e91062c8e6f
SSDEEP

768:W7BlphA7pARFbhKKVeIuKVeIBt+OKObYhnKhnZS+2w4Vqx0VqxzFtF2TZpe:W7ZhA7pApBt+OKOsZKZZSjw4Vc0Vcye

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3823) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\trusted.libraries.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.tmp	e58e52eb424c20f49307c6912d1cea60N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	e58e52eb424c20f49307c6912d1cea60N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e58e52eb424c20f49307c6912d1cea60N.exe

C:\Users\Admin\AppData\Local\Temp\e58e52eb424c20f49307c6912d1cea60N.exe
"C:\Users\Admin\AppData\Local\Temp\e58e52eb424c20f49307c6912d1cea60N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8
1⤵
PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
239KB

MD5
2722d985271f157f0f227cde98017fe1

SHA1
39d5b3addefdb40dad41da1b0b2cbac22888f3e9

SHA256
559bda102d5de5b57bca85acd557cc2324a3a7c3c19dd0698c9af200c3718336

SHA512
ec60fc34c1f065fef1dd2552d5c85e8acf1e48f5d50a111e34d5bbe1ea0cf26882dd4dcd284cc5d97f6fab6e51a0defeea8d5a5a8b257f3e85e1de0a21eccd5a

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
351KB

MD5
d66ea2b2b5ce3787cb3f95da46ae8264

SHA1
32f370abe3532fdd4072d28f56c840f62e10e83c

SHA256
6c2b4c95b9e70b2b1da1d7e8d827420a4f7c8a82616486e2546f0561e9b17a8b

SHA512
bc9053b20a9db18e03831181adb8c39442d46ebff44d5fe01c7b937dc5c577f3e2328cffb1f9eb3f3f75b5e9d454673dc82b508557d3f6ff8c36bd5e1dc11a4f

Download Submit