e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01

Analysis

max time kernel
120s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
Size

48KB
MD5

d54aa880e341119ab53fcc22d1b2c680
SHA1

aee78e0d4c8bb95e929c7826689f87054eed5354
SHA256

e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01
SHA512

38c048918f946c7a343519deac40c11e6229d5f626901bb13060ed64fd44959321952d9966e8ff54c25f4005d45ac24c68d7be4b3cb046e1958c90b7c91d5d97
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFZPsFhiXFhioBBB5:W7ZppApBULcfpHLcfpyDZPQqpBBB5

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-oob.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Common.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jpeg.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClient.resources.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieTextModel.bin.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe

C:\Users\Admin\AppData\Local\Temp\e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe
"C:\Users\Admin\AppData\Local\Temp\e6b5261ab62e9d02107faa584a6419a653233a98ca2e00d04b7aa3ad926c0f01N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
49KB

MD5
37685557baa55a533cda181ec364d86c

SHA1
1e06af9e163049de658ad7b8ab4c71ff0ce92386

SHA256
fdebb94a33db87b7c6ef4e719651cf03cd4f730b08eeab48a09343c04185b7c1

SHA512
1f95cec73e31c06dc5eb52e2cf2926aa16a338ca9c53a4ae17ba9145a99ba718dd19b161de87d42e3ac7c9aa06c62a0da4f4849904100a7bdb2a7158bf93f606

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
147KB

MD5
39a8511134c9e2bf21d759739fea7478

SHA1
1baefa0ff5c4adcc30d3f212ca77b7d5c620d870

SHA256
78a2f530b0d2eaab726e5f20169760fdf11e2673f46b731884e059b62acf3612

SHA512
6d9ab130533ba747fb215f04ffbc0a72cf7077c4aa101814c9edb7d73de8cede2571725a8c21c897b2ead133447d932d898389cbcc8671e3b6c0b87a8c21f2f4

Download Submit