ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
Size

38KB
MD5

b2fad0fe8b0cb6628c6109e1c38f7270
SHA1

d99c978057c98a55355b9682e76e6bfe951e19cc
SHA256

ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5
SHA512

4a1160cc135a8a047e53795d5b10e35e77018b65d4535686ff39987b311147c7faa1093169704db842dda3f8bea2258a66b9d996a86d4fd987243d7e96bbf267
SSDEEP

768:W7BlpppARFbhjbhPKueKudLw1RntnaJtLJtr:W7ZppApB7PtaJtLJtr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4673) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.ProtectedData.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\el.pak.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libGLESv2.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe

C:\Users\Admin\AppData\Local\Temp\ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe
"C:\Users\Admin\AppData\Local\Temp\ed8a07c6543f51993c28fcbc5c28da365b1518d333dfdc6224134fc9c74ed3e5N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
39KB

MD5
b9b30fd9a13601bf5554c3a525a01eb5

SHA1
1746a8f9c1aa27bfbe1a098aa2416d7c4bb3d2f8

SHA256
2952a694fab29468039ee20e706cef44384a3efe4f90144d1bb2be545c6144ad

SHA512
5a5ff010e96885c3d4d3ec3a683914f315b29e645cad43f2b15e3a67f84bfb7a6995dbcc9007882ea3842dd6a38f0802902e80e305e1e63255ece61492ead451

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
1e0206b5cb478cb92cfaa1719c0c5c7d

SHA1
1e67d597b8747a91496f938b3a33e3a4b48d2ff8

SHA256
b701d68d800bf7a25f7df0f5115d431bfeb79cd7c062db019037db1966028a80

SHA512
4f5218e64085f5803f48cfe9880a97a99fbb3b63b9c11ec75e8f2d7cdcb281aec8f9bd4696f6a6817bcfeea36c8587733fa20d1820eee7f217c4d9d391aa32a3

Download Submit