eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68

Analysis

max time kernel
150s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
Size

101KB
MD5

878c66aba17db61d4d819363a54dc12b
SHA1

d39c050d5f3981456d9848f7d30cf450b1557299
SHA256

eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68
SHA512

ea03a280586d7332b7fbb78f0413012bdf8730f351b408886fba7c34a95e0441fa85bd5da5274544f82555576cd33caa441957f3b8fbf0d3a211a5112ecc14d1
SSDEEP

3072:6e7WpMaxeb0CYJ97lEYNR73e+eKZHfFpsJOfFpsJ6XX:RqKvb0CYJ973e+eKZd

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4858) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe

C:\Users\Admin\AppData\Local\Temp\eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe
"C:\Users\Admin\AppData\Local\Temp\eccf9b801262ae65a1972a6aebdaa30c6709d9765213e628e3def99c0a097b68.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
101KB

MD5
63906da63eba0f0de4dd8692773b27bb

SHA1
b8ab92f346250157471e515f6bd4f0449e29020c

SHA256
92dfc3bb6c6cd7f09fce38612c232978daafa76c4edea53ff582033899c9da97

SHA512
9b51c0703946d82b38cac42c8e0893320a68cb43e4316be4f586e1dec80ba171b4d0e9399dc9439e347fa7e31b42207b47e0e4eda881c21c91f309f3b3765b43

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
200KB

MD5
e962c0e770996c8a2bd19eec97b74d85

SHA1
f56a8eecc11b5d371adf244822337932f0020547

SHA256
279e6ee393346ee2d3e593d10a693b8339f82c30584d7be13df43e23536d9dfa

SHA512
b8c5695873c674112bb3022543e564e4dd27417318dce88e4fd779073cec4b5a117324131743eca144f66946a71036fa79dad157b3b203e168310fbbefbb291d

Download Submit