eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662d

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
Size

53KB
MD5

e77514231aa20666aca5d1bd34b4cfa0
SHA1

a6c97b6ac497ccc3180e11f1dd7a6fb5cf6fd92d
SHA256

eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662d
SHA512

43478d37a23edfaafc9cd2de40f9459eb93bf033e29b00b63a3dcbfbbefed43d22485742f412b20d5e461f8f7ddad2be7c42203a1e32051db68702d8d5ba25c9
SSDEEP

768:p7BlphA7dASbSLJJBZBZaOAOIB3jM2jMO/vY6mYHV5gLJAbHV5gLJAD:p7ZhA7dAxJJB7LD2I2IGYoND

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4668) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationProvider.resources.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClientSideProviders.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Primitives.resources.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Xaml.resources.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClientSideProviders.resources.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pl.pak.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe

C:\Users\Admin\AppData\Local\Temp\eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe
"C:\Users\Admin\AppData\Local\Temp\eb9eae02609b18f0df4bbc65bdf1a3cb88c0d39d64a8bd69eac2b09a1789662dN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
53KB

MD5
70dd9959d4af1b08699dde9ca3f96944

SHA1
82b580cd327981551a193997f6e80d6ecc99634b

SHA256
9f5e7ab69e4402c552791789228d40156eea236559b94c55716dca5edb652cde

SHA512
1ba06b21105f1511081dba57262a78a058475e1a3099bb699f64bb6d99ec8f9f342ba22db4f3f5099b23289a7b0abdea1a4efb526fe51e8adfa8560afe2645a0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
b9f7907eac7afecd04e8d472f041841f

SHA1
c9f6aa3321cc9cf07c75d591f21113f59f2b8c91

SHA256
dc859a085735cbc059a2d9cc62adaa02e01c8cfb3f5df610e394a8dff3075040

SHA512
9b0e7f6399283f46bb36bd16f3ef40541535481de6dda2948c87495758761f7ba1d243ac43a3a20604c1956f9b4918713fe733d64bfaa12f74771f97cde486d6

Download Submit