e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
Size

45KB
MD5

629cb4d7e0c9ed56156ec39c2a7524fe
SHA1

938d54a768ebd444f0205f61bfeec2e9ca6bd4b5
SHA256

e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed
SHA512

d43c4448690180cc650dc351af6b7874cd77e637e2fdd08598a010f748441b0a8570a1730a48bea0d39ccd02ec11f2b2018df05f27bf2ed542711ec0606f7cdb
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOd+WW:W7ZhA7pApM21LOA1LOc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MYSL.ICO.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS0009.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe

C:\Users\Admin\AppData\Local\Temp\e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe
"C:\Users\Admin\AppData\Local\Temp\e0e38da180274ed782698aeebc4b2ecbe1cc453a94d15103ee0087cc1510e9ed.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
46KB

MD5
a4244c04c1bb773dadcbfa6201037de2

SHA1
ed7a8639692f80f38f9895d38b92bc7196490409

SHA256
80051fdfee2f126ae4b99b1c7d588b91d38f73506c7231f6e8cfa34af560692c

SHA512
ee80d0ac9071abf58c9c6d1c6683f5d87e67efaf616ae1629ccfb1e41ec2ad1ec26da7562a158f93ec5e06b1e9e5fc1e236dc519c54544ba15051a9593287ab6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
1524fb6b1afd94390bb48fc7f66b66c6

SHA1
f97cf5e684b73bbeee2f92f1aa9759a6bcc1d37d

SHA256
c46c5559e09db77bc0861e39c41984535ddedabb110f584d2f648b6dcf3a2c76

SHA512
0d2b5c41e78553b235933eda03a71b5090c8a2687f75aad66c9a6c26cd372afcea0345212c6316f9a862d6713b47a1e740580fd66812aa52169813b951952206

Download Submit