5febdaab80d6a1dd88a1e7b2017b5952ef43a85913346f9d848df92a0ed769d9

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 05:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ed2b26846caaacbc5dcb1453251e0240N.exe
Size

62KB
MD5

ed2b26846caaacbc5dcb1453251e0240
SHA1

9de4c1e0c30e7b44dfd72ffbc3b59eb96a4cecc1
SHA256

5febdaab80d6a1dd88a1e7b2017b5952ef43a85913346f9d848df92a0ed769d9
SHA512

e0c89a3d53517d07ce47928c401c42ce5e01d85218b290184d12858d373524ee38126e09adb76a7c6f41a6ab1fcc362220866fbd8a2e53159ff4d25013b1eb22
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw70EXBwzEXBwOvEJcvEJFTBEji:W7ZppApqvZvITB1

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.CodeDom.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.Primitives.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\Welcome.html.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp	ed2b26846caaacbc5dcb1453251e0240N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed2b26846caaacbc5dcb1453251e0240N.exe

C:\Users\Admin\AppData\Local\Temp\ed2b26846caaacbc5dcb1453251e0240N.exe
"C:\Users\Admin\AppData\Local\Temp\ed2b26846caaacbc5dcb1453251e0240N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
62KB

MD5
ef53ca65f67f3c927f3f736baf48be38

SHA1
798e526357116915c78ff98f13ffe245be7b0dfc

SHA256
62cc6e369529c4bb555bf364a7f8c75d09984dbb13c8ae0e5a320c2817d24707

SHA512
ffcd985b374915afea2d9e044e143772e35bded69209c6d68c542cf5dfdf0d806633c25058b945d4a0bca823f3d7d7a3e3d11c2ea6cc28d0eabaf81c2548d955

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
161KB

MD5
a8ae93eb6f2df26b5b40ea6cd6137d6c

SHA1
79eb077466eb958e07986477ec4b4c31dea7042f

SHA256
7932b66c968f6e3007ec920ca05c252f8b7144f9635187e7f75ec3ecc1c784ab

SHA512
af80f01e447916b235f8a13d7714eddeb020d50dc5e703714c313f25ba93b3d1961fdd1128071030531d6e4f39e22e06adc0becdf6855500e2d60572f4cd68cf

Download Submit