ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbd

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
Size

52KB
MD5

5ef8ea8b4436326774b42fd261b03530
SHA1

797371e7ef9bbf07197f90134d230972cecd8c61
SHA256

ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbd
SHA512

8b12e1189510a1f53d37132c1939f5e13a087944110226c552fad9f22b85120d0a4cd41159609f7bd874220acb48a8e21acf39a34a20b5bd6575dd7d68a2bcc9
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFXpK5c5b20NLrkQ320NLrkQb8dOH:W7ZppApBULcfpHLcfpyDA6BhVzhVwOH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.Json.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Calendars.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\libEGL.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.tmp	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe

C:\Users\Admin\AppData\Local\Temp\ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe
"C:\Users\Admin\AppData\Local\Temp\ee30e5131cc674f72b88665d68fea42366df0284a9ce5abd35852815b3b92cbdN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
52KB

MD5
640d580bd17db1eddbac0bfd81d5291b

SHA1
8879f14956d1e7d7852e364bf9b39c1b3cee03cf

SHA256
45e4024b3578ec699be04f6c102c2faef0c9187fa5944f6f69aa2c0bfb081751

SHA512
c0b6a4d1d1c3618093f1f9095243853f593ef279cafbee20f8ac3c3018653f009a0dc0fc2b2e638cd65fb13666e4f918be5f0df1aec07f24228fa1397f2593e9

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
151KB

MD5
176bbd4c2d1c48fbfdf794d0a39e1200

SHA1
2ce88a44abb0aed4fd1da31c0c33ec8c8a488b44

SHA256
b6944a1ebf2baccac6ade685a4909b0410828d3c0c1c62188d72a741e6aec1a2

SHA512
482687d4d1c4f69a1a54bccd1c7708b7e68ba02e5fe2b02b542d37c701a292d5b83aae9ada709b32fd1035227491f6536221faed1454c0813fffda19633a1e9d

Download Submit