ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
Size

82KB
MD5

07beced5e82903b389dff4935c0bb850
SHA1

49cf89fafe5fa2166784c2ae6f96ea589950c9aa
SHA256

ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421
SHA512

380383424c1cacd7a175ca67494dfe7912e071b2fa368596a6d7fa1bd45e40c8f38db07f70e1a15cca376ba6c6b2a23bc14aa61efeb46e1355bd4f5bffd7bacc
SSDEEP

1536:W7ZppApsJNg0tdlAX+zq852d1F4V+kw2tc:6pWpkuK4+bE1F4c2+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4590) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfr.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationUI.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClientSideProviders.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Java\jre-1.8\lib\currency.data.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Watcher.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe

C:\Users\Admin\AppData\Local\Temp\ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe
"C:\Users\Admin\AppData\Local\Temp\ee333a88e4fcd3270b3449ef08483cef9ff2faa6efb1b51fd4fa76283ed7c421N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
82KB

MD5
9a336b0533f37e461ec9a1285ccf3b06

SHA1
2509fb31d8e6d83ebac7aafe34f5fa9c6281d181

SHA256
361e9b3c121cabe6074ebd1f2c698a197564e1e007360fdc5456d8f771ed620a

SHA512
b7cab7c7d6c5f091cadec47088e15548ba074a5af9620f312c2571d44f875600124ecc298a4680c6cd3f7c23426a99a3ef57990234c309b24e831dd978a13cc7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
181KB

MD5
d7b0763fbc9829b6fc8afe1f79e0acb9

SHA1
3b24f1ae44248ade8c01055e1432e45aa768ec70

SHA256
7bb3d9ac2af8290b493d39b971a00bf7da18845a1e7254e89a19a3d7011b08ed

SHA512
290132bc2f8009470436bc7082aa85709595d6d23687aa6abdd929caec055a3bb20a0bcecfe569eec1d4881012e07756347abd9669eca44e828f2dec08e27605

Download Submit