1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
Size

74KB
MD5

9c2c4b45a9b4c4e06c53c314faf715cd
SHA1

2c1350442c107c52d078587f46d88cc3606502ca
SHA256

1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27
SHA512

4d21d7ea1a5122ab54f38e078e3af3b229e19a051c60ad6c927fc031c1fec756b8d7fa42ead2548b31be8769ba8eb7842382f9199e3bca1b8253a17d012ccbd6
SSDEEP

1536:W7ZhA7dAZ1++PJHJXA/OsIZfzc3/Q8+CtlYSDL:6e76mQSostXDL

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White.png.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ul-oob.xrm-ms.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\zip.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe

C:\Users\Admin\AppData\Local\Temp\1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe
"C:\Users\Admin\AppData\Local\Temp\1ea878107c4811573305907573d45a5d61cdc6d52d779dde4024122bb4776a27.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
74KB

MD5
fc828f6eaae6d8ecda55b35ac7190ae8

SHA1
61933d20a6b95f6cb347cb84910a854856bd417f

SHA256
deaf5dc7fe334216c0702a7fadba824cc87ad9f10b8ed57d7ebc8479630c591f

SHA512
992a795f148447cc790369f1025669d12311f72bccdf97af91b8f089880b2b3b74b88e56c8baff60e599a031bdf543db3f7631ba4abb9388110992e683d07cbe

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
173KB

MD5
c89e684d932926ee1ed9813a5c807fd1

SHA1
cf8f7ca631d7257a0279abe86e15ed5d0de8accf

SHA256
be40d13f3b46d485dc82473316890f2cf4ac5cfa9d2c068970905de4c6639d71

SHA512
ebbfd39374dfadaa26c4b15965638947b461cbe177442040514866f5382ef4340d19a6004793bd661ee0029a5f80472472203c3599b1c53c21709d556c72795b

Download Submit