e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
Size

88KB
MD5

2e5924d839eb2fb9166b7d25131d1210
SHA1

373c9a8a544d5a3a1b174ce25521b6df338a4233
SHA256

e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856
SHA512

f8867e0683843b780c9a0884c0c15f36da5b77638234a67fcf3998c270f754f47cb82839843368880eefb917f9cbff1633257e6233eb4767ab869409decb56bd
SSDEEP

1536:W7Z9pApQESOHepOHe8G+6E65dyGdykNdNBKgg0///x9zKI:69WpQE0zxg4nd

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4595) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\AssertMeasure.php.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Presentation.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-time-l1-1-0.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Timer.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe

C:\Users\Admin\AppData\Local\Temp\e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe
"C:\Users\Admin\AppData\Local\Temp\e0f1b3f44b2bd3e144f1d50dd49a2f912c223a6a700c350f3dbe9968b4012856N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
88KB

MD5
e3547deb9ae95a82d6f096416c93841d

SHA1
d55de3afb2fd164436f5aac4d20fa42138e3e223

SHA256
b1539b50f6187410c163396846f44fdd141395e10d2cb81793e1ef8bddaa3464

SHA512
12d0930e4eed9189bac45991006835ba361fb12999126ffe9a2f0d4a91e413f49ef36509a510dde880af1c0c7688144c592db66972f05a46087072833ee20e9e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
187KB

MD5
fef0f1f138cb59435e73bbe59ee2149e

SHA1
ba7b8a43cbba97227587bc0d9e7a5ae5aeb8ecbf

SHA256
dd365132a5383a6172cdb7307d778986f2f5c4ffebffa5c01ab7a5a090a9fe23

SHA512
7f833dbfd57e90f6954b9339c0d3e1ec9572b903b1a81571e7306a7735908e38c677ceeb346d5a9ad43a9aa53c1db3f956bab8be5b44571d7621f9d8aa4e6164

Download Submit