e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
Size

49KB
MD5

7f51d84f6ae6b8e7903670e7031f6520
SHA1

9776a52c6a2debf8c3e8cc67fbfbdbd6a2f1b5de
SHA256

e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3
SHA512

1d15097f0da581954ea252a7caa064a1582242c140250b929e7dd6b5a7dc37494de2d8c4be06e70ea13b08543e865e1edf3bff980a56811b23477d896656a5d9
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFHOrBtlBi1xxBtlBi1xE:W7ZppApBULcfpHLcfpyD0070Y

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4659) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\MergeConfirm.ttf.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Calendars.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-US.pak.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ar.pak.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe

C:\Users\Admin\AppData\Local\Temp\e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe
"C:\Users\Admin\AppData\Local\Temp\e461bb5b22f944fc58d539b13b56cdddb5f1176a5b0fbcddcf9ce3762b779ce3N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
49KB

MD5
85289cf2d0f8364d96a90cdba70e3714

SHA1
92557ac62f14a2f3142bf246959c6e1b9e83133f

SHA256
28bfa0c5b353cad7dd63cbb156524a316369a39c7dfd286af68b8508dab04139

SHA512
d78d0d83aa243e3f8c1df90add7ecd8fcef30bb747dce5350c5b69a1823c93b3fe0e3998c16ed3a4c0cda69d9f626b4a540a741b73e5e5af5e1a7c9ebc2a8c55

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
2fb6577a36c04de0446872ed5f3d2bb8

SHA1
13c362c69d9934696e282525696581616bca1b95

SHA256
2dc93dc125d6a15c98dfc2173a6a9c490f340dbdf1f326c17d36c17668d61b68

SHA512
80f6e5de3357a15595af8566a6c4b20d385e3a66be5d649626b08373949a894087e90d94806c180824b98e0239af6225f1663252929c1c8ef1f38c138ac826b2

Download Submit