a31fb33638b84684ed31f1bb88cf27a7911acc32f3d5d46da50b909e5e81868a

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e18a8cafd5470540d3b3b5db9a0690f0N.exe
Size

85KB
MD5

e18a8cafd5470540d3b3b5db9a0690f0
SHA1

f3a3e099de44c25f9f20cedb06af5fbefe5af200
SHA256

a31fb33638b84684ed31f1bb88cf27a7911acc32f3d5d46da50b909e5e81868a
SHA512

6f85130bc223cc865e346fd03f2bd2795a3856d7cff6411c9cbda20993f2cc15656c85ce7220ff0c5b6dbc87dc25b1535bf8a214b16f5fd2c3cf3f7c43bc9d1c
SSDEEP

1536:W7Z9pApQESOHepOHe8G+6E65dyGdykNdNBK2LUf7XQ+23:69WpQE0zUzXv23

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4221) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Xaml.resources.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.IO.Packaging.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ppd.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Common.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.SystemEvents.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp	e18a8cafd5470540d3b3b5db9a0690f0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e18a8cafd5470540d3b3b5db9a0690f0N.exe

C:\Users\Admin\AppData\Local\Temp\e18a8cafd5470540d3b3b5db9a0690f0N.exe
"C:\Users\Admin\AppData\Local\Temp\e18a8cafd5470540d3b3b5db9a0690f0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
86KB

MD5
b14beadec7a78cf9b2ae2857240a5719

SHA1
69852dd29dfa6321330a78d3433858695949d97e

SHA256
858f4375bb2ff9506f97976475c3936f352608372d54c4a715acf725e9700ead

SHA512
6b30fe4814b202214e0c32c170d7336d5216d50ed1d434cf4b90d1504399089528e62b530f5a54dd9566c1b80dcf332e50fffc18257030110c8e1caa0f8418ec

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
184KB

MD5
ccb25df1a01dcf0d4a7f5fea099185bb

SHA1
95579838105c2f7c51ea0b43083d5e7bd5330e5e

SHA256
64133ea82576369b7ca1e153778a99bcb1221aaf06aeca98c0bf3172ef0723c5

SHA512
931a2f09b44d623e3034219fa9af29860df33409a2bb21cd5f14ae317e2deecf1905627719ef28d15b0c0e1a9bfd546a5ac57edb35d7be6c6a326a350f7202fc

Download Submit