3c5dd3c5100b1e4c39945d9893e013c24865ce5d9ebfd314da17aa9940ab0905

Analysis

max time kernel
117s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 23:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eda0dc67266e4055c6ec48141cf98030N.exe
Size

51KB
MD5

eda0dc67266e4055c6ec48141cf98030
SHA1

f304b06aa2013f8f11a3c1c8a22f855b22515e08
SHA256

3c5dd3c5100b1e4c39945d9893e013c24865ce5d9ebfd314da17aa9940ab0905
SHA512

628e88395a2cf701031bfa616c80da8692e45adb68aadc0999f551973a841dbebf59678dbc2ef980a05cb2dd7f6d42229331782d541e9b8c2b7cc9fd34869c78
SSDEEP

384:GBt7Br5xjL9A7AgA71FbhvnIH2YsTKnKqtaW3W/1NGbNi1NGbNh:W7BlphA7pARFbhvOsTKnKqtG1NGc1NGr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4627) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-environment-l1-1-0.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jre-1.8\bin\wsdetect.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Extensions.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV.tmp	eda0dc67266e4055c6ec48141cf98030N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp	eda0dc67266e4055c6ec48141cf98030N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eda0dc67266e4055c6ec48141cf98030N.exe

C:\Users\Admin\AppData\Local\Temp\eda0dc67266e4055c6ec48141cf98030N.exe
"C:\Users\Admin\AppData\Local\Temp\eda0dc67266e4055c6ec48141cf98030N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
52KB

MD5
840e6f8254d67f3b93561f136abe5047

SHA1
51ae3e0ec387e6de872bbc384457e9a63d060821

SHA256
71c0adaa7c3b6b281dbaf9e8250578806879071e44eb4cde6ce3d54e61cf1fed

SHA512
572ac759e4f12a7aca342d9bbede9bdde3e18a527c6ceda5548d93ac8d1ba470e4e5d31e4955d2a6c6ba5d35cd74ad9cd39726d583df527f3a0afb2ad77cf4fe

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
150KB

MD5
354e45f9d979161866a08bcada7bf824

SHA1
fc7f96c1db376801aa35538d998a60ec2007ca61

SHA256
f32842d4df908a84c2a6e20e2969cf9cdd9dd12c0acfb879c42e36c8327a2cd1

SHA512
e58a219671800f228750bf4adddce5fb621ad96479a8503bc84e51e701774a2093a2886b11a207d9ea5b1ebb9b285e8134191ed011e34fa56bd989e92d1af43d

Download Submit