eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
Size

47KB
MD5

2b79df2623bfc54ec79da4ec29415a10
SHA1

1b9577274313e928faa1e42e5bdc2a79a0a08ba1
SHA256

eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2
SHA512

800e65f6f1256b22ce857269aa2634ef2056fa618bdff4ea18c575140f02ee0c48be0bd4ad24943beb772036cf19bd2be4848498a92141122e7e594ef20203a0
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFeK5c5jm7D:W7ZppApBULcfpHLcfpyD56Bm7D

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4633) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationCore.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\WindowsFormsIntegration.resources.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe

C:\Users\Admin\AppData\Local\Temp\eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe
"C:\Users\Admin\AppData\Local\Temp\eed468d2b6d62c01acd89ada4d928c4b63d522715b50c34db6318dc7d906d7b2N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini.tmp

Filesize
48KB

MD5
714b7002714b9d8284c26b5c9252a63b

SHA1
86af8dc75d6e502bcb384a987c75ace77451093e

SHA256
e64779513aacf187a7a3d0b7a35b9d6db67492edfbba71011019361b0ede78bd

SHA512
76c102d4c2b09ec77ad0337585f537550e769beb7a7cd0f8589a0de31051fbe36569762dc4498b8998df7b1aa006452d50b19e5a85cf39e0b8e35cf0771c45d3

Download Submit
C:\Program Files\7-Zip\7-zip.chm.tmp

Filesize
160KB

MD5
39f18617565d8afd55b352c0cae0d1d6

SHA1
ed3149c112cfe768fe92d1ab263a4a4e9fd03cd6

SHA256
5c0f7ba700e6a511fc47baa753f3c17fcbb7f8563c6734152c4b51a6414a1095

SHA512
3bcef8b67e0d6e78ac9e7cd4c719b0fde419bfc4ecb57d09570d942aa5e2cdbbf82f9027a125507c7dc1669107c400bc5feda12334594eb714bf5f001e3f2259

Download Submit