efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38

Analysis

max time kernel
119s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
Size

40KB
MD5

82f26e636206e8ff5eaa0a745935ca60
SHA1

8701fbf9883e0422c459372aaed01560d582f9e0
SHA256

efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38
SHA512

cacfebc960a95828cfa9c6616d48e145330c3a3e24d9b491c0a426db1fe89edd31f649b366668b8f349c3e77147ade78b0de8afb400bae094f96bdfd269b9e97
SSDEEP

384:GBt7Br5xjL9A7AgA71FbhvnwR/s4Nkq81LOyq81LOUqKqeU/v8MvQ:W7BlphA7pARFbhM0Kkq81LOyq81LObpQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4647) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IVY.DLL.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationUI.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsBase.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ta.pak.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe

C:\Users\Admin\AppData\Local\Temp\efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe
"C:\Users\Admin\AppData\Local\Temp\efedb16f62b64444e9e9b7f03762b8b6ab847b837cca3a40234b8fd701dd5f38N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
41KB

MD5
4e7c024b9b13a3b4efa0de81950ffd22

SHA1
cd321ceb3f34ccf2b9e0430349f90dc7b1404cc4

SHA256
a35776f395e781b5dc0a65d7d1d2247e19e3565bee44b3ef4b62a16afc3c9b0e

SHA512
2180f828cb497dcfed80c957048e9e942e14347253de6055198242ec5f9e023e9cd9c0fcdb96f3de1eb37e22e921f327e6907d08b4632d5f3b25c5414fe76d51

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
139KB

MD5
0835e28bb6976a5866abb66f5e71d7d6

SHA1
4e08422c67808096a0693ec910ea6d7f98d51bbd

SHA256
60196d7bec7bfdd73b87b8ca5a369d0fea41fde4bf40d9201241f7e48ea26fa3

SHA512
b09d0e3a0f63fff89b9684cc402358afb18d23c6d0f3a54ae8dd7f7e3c946d3d4eaa6d29673c80411b989cfe45af4439dc2a7e01850cf553a5edfb0b9a4accf0

Download Submit