e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
Size

57KB
MD5

8111303baeb96314fe2fb01817280c13
SHA1

ce6ead41e07cd33b612f44eda2fde0c315697e50
SHA256

e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224
SHA512

a91dd230078145d7f879ffd77a57a64c2e045cbcfa25ea8d83869377ce2751005165c56618a992240e9474942fb595420538d788648aad507ea98fa565bfbeb5
SSDEEP

1536:W7ZrpApojswv0EhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsuZ:6rWpcsHEhLfyBtPf50FWkFpPDze/qFsc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White.png.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe

C:\Users\Admin\AppData\Local\Temp\e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe
"C:\Users\Admin\AppData\Local\Temp\e8c1c9bb4f101ae21c29ea53305d4e45cef2fed46dce76063967c0008fc06224.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
57KB

MD5
a6ecd12f61f96b32596042cdb7cd2256

SHA1
58b55ba1dbea3c34a077ab471bb356c3c91b354c

SHA256
b59670afa4d0da8a1bf3c22e30756fe9447fc30564323a0f120b33a10bf115a6

SHA512
f03c5a183445ad23dd6c051e857bac1965f69e703844f6d79293c7000759119fa43bf45e4649b78174d8b3090d9bb2b9dae0a0a06e1c760bce3b965f7478a3f5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
9ef9b61c9488a16890f49446101713ec

SHA1
cbf795bbca7c350662c67b82fa36d787ae59a6cc

SHA256
63d453c538994a161230f7b6baf233fb12e6fc94e793a021ca57f25d66521efe

SHA512
51513b18416224fa024d9dc434bac824bb3ab9def50ca19c4447a3f10bd56a6c211457ca28d9b59961369c5faf9379ec57df23c9a7967e44f9732b529bcdf5ba

Download Submit