e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 02:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
Size

53KB
MD5

4e2b8c91b5f5ff45f8e59d5d8aabaf00
SHA1

2348ab200e066b1cfd51da377a999cac7dd6ce5b
SHA256

e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18
SHA512

9df2bd7f6fc30f78c8fcfc62267bdf35f30fa6d54353376322ab19bfbb86b186150dae6917bde78c27a27ea2a8173575da36d3260ddc72ba672c010db5cf79a3
SSDEEP

1536:W7ZhA7pApM21LOA1LOl6Aj8Tu8T1Rxew2wF:6e7WpMgLOiLOAew2wF

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4646) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsBase.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Process.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.Primitives.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ru.pak.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Expressions.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll.tmp	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe

C:\Users\Admin\AppData\Local\Temp\e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe
"C:\Users\Admin\AppData\Local\Temp\e484fcbda6936bf51b400ffc17cca07dc5d3de290edb4ffe0e1bfbb9dcfcef18N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
53KB

MD5
31e3e420f868bf31e65dd8a591a508cc

SHA1
573aedb3fd08207ed077bad5dd064991f4ee5ff4

SHA256
df21e8049dd4dd71b594d09c888758ce89f3cb7e48518a19a059d979e728a170

SHA512
fd3933142e7df65fa26fbd60b41d7a06ce5c81f03aa2f3b2e53185c8325dc0bb2f74c78d973abeb1973f199114e2937f2758894a5b87625f04bec141629196a6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
152KB

MD5
0ea0c7cc7b01a0c93e1ff309f49ca63c

SHA1
13af6fe37f4bba2950cfffafe8d01793953acf48

SHA256
2ecfe71199eac2f0e3ac8a5f760596f8fe59bf4a43dcfd029c632d4b953a864d

SHA512
265580aa94f30c67cd17a6fd07f0adb1e64739c631cba23530b325d6431342dbb02097fc8e3e310094747a047812a74c9446e32092e639db68efe4a647f9ac6d

Download Submit