e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732ad

Analysis

max time kernel
119s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
Size

49KB
MD5

dcee5fb3fba17d94995a8e6f66b68f50
SHA1

32e32aeba6bbf1b0bf49621073bfccf148056521
SHA256

e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732ad
SHA512

9cfe5e777908114cf2a3677562a2ea5de02c5cef9c714263e4c9be3007983a72bd2ae1f375e919da0453f31c28dacce0b7d8d4de575d365ac1b28a4ff45a70b5
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lz/g6sHzcXHzcC3OTHTu:W7ZhA7pApM21LOA1LOl6l6YzqzV3b

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4683) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Forms.resources.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.AeroLite.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\manifest.json.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoDev.png.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe

C:\Users\Admin\AppData\Local\Temp\e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe
"C:\Users\Admin\AppData\Local\Temp\e9b221c0037df1969d80e1f0a6a8ff3c754b1a496ceafbc3aa53d2dbeb6732adN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
50KB

MD5
b93b295c6fe0e7e64fb9ce87b9c106a6

SHA1
9caebe6be3a628c35638e7776f11bb11a4a39f34

SHA256
45b206d78e45403b45b747b97ce4f6fb4a82cf1d8c18c0daf8eec35e065b4789

SHA512
48f84e948d715f81caee9a60f258c5f54ea981275893cfe769ea3f20df688fa3f54565951010207741ca163fadac8b207d32cb4435516687821d8fdce4d16632

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
148KB

MD5
f005b55645e32ca9be6c114d5acca382

SHA1
5912166870d1f574f4d418bfd07cc5aa8518ff57

SHA256
6c016785e84e5032beb892925373586098d03e2eb0ba472b6ef2be3483c0a6f9

SHA512
bc00a266dae23eb5e341ad60f34279797702727657e5e4bd92c991bef779f75e9dc574eb1494b321cd425eb2ed5423635ffad31c844a27ebb98571ca047a880c

Download Submit