eb6a527bc62aef7e931188d6365e643743d3b7b9c2efe22f26442fc6d096be99

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e1ecd1e4535cb3feb43a920055226c0N.exe
Size

80KB
MD5

8e1ecd1e4535cb3feb43a920055226c0
SHA1

0dbcd3a3cea81510b6450b19fc0b67f335bfe8e2
SHA256

eb6a527bc62aef7e931188d6365e643743d3b7b9c2efe22f26442fc6d096be99
SHA512

68e77f025eaf53c0f35cc612ed8e82dd7241f61794c97ab8644b95e9b625df4f9913404bd7ede9c0f39daccefd8e4105b324d69dcdd6baf95e395ec582e7d643
SSDEEP

768:/7BlpQpARFbhIYJIJDYJIJPfFpsJcFfFpsJcC+3mC+3meDAfABJ6fABJwEXBwzEN:/7ZQpApze+eJfFpsJOfFpsJ5DJrwKn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4304) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pl.pak.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationProvider.resources.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	8e1ecd1e4535cb3feb43a920055226c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e1ecd1e4535cb3feb43a920055226c0N.exe

C:\Users\Admin\AppData\Local\Temp\8e1ecd1e4535cb3feb43a920055226c0N.exe
"C:\Users\Admin\AppData\Local\Temp\8e1ecd1e4535cb3feb43a920055226c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
81KB

MD5
5b675bda2dcb388b2f5d3dc71928c851

SHA1
034606205bd8171131053a707b15b6956c144749

SHA256
005249bb7238531e8b672588c03d049fe5d7a4e10231c76d9cee7722f597b509

SHA512
fa2e9e1c879aee00c7f6bf764052e6501dac904e67c4f6b6aedb591555f9829c75eac1e22be7e5e5b0f2fbb4ffbee5ca2e58b7c661bfd8c0cb220563fcae0f49

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
180KB

MD5
f754b7936335d9a675ddac3aa4de30a6

SHA1
da5dae98e0d9b6e1fd034ebdbbafc03dfe071679

SHA256
b8a7ef2801d08b4ba6d70176508522dd0350d78ecb03fe9f800629a9ca0ff48e

SHA512
246e802e83adeb573d49ed57774b35fb72fcba9df59afed4b1168407a0fa286a8a6a312b853006586186cd0c67a5fb8f09d1027dd082076f59cc79f72032b32f

Download Submit
memory/2444-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2444-840-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download