e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564e

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
Size

91KB
MD5

8ff7989c19581060657bb07521d74830
SHA1

62b2fc5fa751c8c6b4c002b3a739b699996cb468
SHA256

e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564e
SHA512

ceffcbbca7870f88520fbcd0c69023dd9845508d9f9c378c96a070c2d8f5cc1b09330969df87b4eecf15fed0c89ea3b242fe31661e933f653df45b1e1f964e0d
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhC:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsv

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4473) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-PT.pak.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationCore.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Ping.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\tr.pak.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe

C:\Users\Admin\AppData\Local\Temp\e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe
"C:\Users\Admin\AppData\Local\Temp\e500ce98629c899402a9cbc904d0b550d1c9ec3e803c8475b82633dd693d564eN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
91KB

MD5
e3ed58700427491ab68f0690f76a6b6f

SHA1
5744ec1271261b8b44f356e687a934923ab60bdb

SHA256
4b1bd5f87ee2a65b47ce2b275227a3cae624572f814be28052217d86b0c53562

SHA512
b607696a1401b0d96b3e331e058a35e4d81fe41338a6ca48cfbb5c88634590aa8360e70bf62e3f06e8f758c86a75b830670a310c345613488230e2e72d005519

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
190KB

MD5
afddec7c595707dae5e966f4d989d91e

SHA1
9ff7f15a2e426b0602771b100622fdc3aefdca53

SHA256
a21f12a15c8f275e3ebe2a801645ea18c7c102fbfebbdedc39d2361b10a0355a

SHA512
e61855049a15c6ca18946fff238daa288c752c3e229fce469e0468af53bbffca6ef266849c20c8fa297cd22bcd3f53bd470fd9a8d1a9f87a75679fa4ea0af865

Download Submit