e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 03:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
Size

48KB
MD5

c6f0e710a5d898ae3340426a7cff3c51
SHA1

87d4e31d4ccacf120afb305a2b6ed38b8d31268a
SHA256

e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c
SHA512

4aee040294789b52d58444a59d945499f7d6be32c2b6e93ed80e01508d3c4c8d97257e5e46319a812f8e04550b2777e9c3e7484cc1cef2c74cf790bff7eaf487
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1itvtc:W7ZppApBULcfpHLcfpSo3fstvtc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5011) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-convert-l1-1-0.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\ExportEdit.cab.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.Client.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ppd.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ta.pak.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\splashscreen.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationProvider.resources.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe

C:\Users\Admin\AppData\Local\Temp\e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe
"C:\Users\Admin\AppData\Local\Temp\e0a1093ab2214103ac3c4783d9f48463302a80616a56662fb2e9ef843788ef5c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
48KB

MD5
52631c826b5818e17e7be7521fd3df60

SHA1
4fc7152ce1c924416a20342fb27a4c655e9375a4

SHA256
6de6e370767e59626ef2104505c8d38ec9c9e64951411621b710e1a612e53698

SHA512
793e975f79af71a235c29e50958e0e4fbc35da12d4e96cb842354234cda9b60b7db664745d942bb0cfbca6d86af9af3d010b8c907922c8fe810f74e9111f2178

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
e91caa89e9e890fb765913f1279dac78

SHA1
7627b83fe6990a25db9e93531b9d651d562cb258

SHA256
f947235480ecba42f33323334cd694637784f83488295b0070941dd270dcaecf

SHA512
6c5a90727695694203cc9e857ff34ef558631d5becf9b3128e349104a35e74d9261889151f3a00c115d1f79699958e51923e0bc928b63946bfec30ba5f90ceff

Download Submit