e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13d

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
Size

89KB
MD5

28d57199e8753ba74a5e7056cb5eac90
SHA1

61129701d12a4c2b5b3bcdcb328242b5bae44836
SHA256

e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13d
SHA512

9125a5e82a4cc1a572c69af421e579c74692be66020d731fe7c1f66b3d4b166066e49d05976983792084f2355ff16decf8d2ccd8dd4f47ea6053e4a2ddb45c6a
SSDEEP

768:W7BlphA7dASbSjJJ1EXBwzEXBwdcMcwBcCBcw/tio/tivBT37CPKKdJJ1EXBwzEq:W7ZhA7dABJJ7TTQoQJTW7JJ7TTQoQY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4531) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\include\jni.h.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationFramework.resources.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\bci.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-pl.xrm-ms.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe

C:\Users\Admin\AppData\Local\Temp\e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe
"C:\Users\Admin\AppData\Local\Temp\e52a4d134fc04e5d9a13363e26258e1450b846f067012a786967a0011a36b13dN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
89KB

MD5
6f54ba3c6edc8d8ff40262901ebd7372

SHA1
24d76225fc2a6562febc06621eba827c5d39e1ce

SHA256
1cb943ced20aa912816d48e5dd42e9adc15ad311b989e4be64916ab6603f964d

SHA512
c17e89adf7b773bf644ce5dac2c85494eab0cb7430ed789b9af1a495834c3c3e6ed2f5eaaa26985fef022eb2ba45749d0e68f805dfce9fbf784fe3a3b82c8609

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
188KB

MD5
dd984a948ef1a1587d6e6261d19b5e91

SHA1
b8a3f4e49f7be815a6dd1b28e044da81fe5b99f1

SHA256
3327261e7fa987597b763bf3b4943d0c697a2e3b6c79f20f0f9c22f8d0a5e6f9

SHA512
e439634bbc33335a014d0b721a68cc94e40c0ecb534512d922f04ebf38a06c596821cf8b407079bc6596625452948ff55ad133c7283cef91e8e0c6ed90bf811c

Download Submit