1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1e

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
Size

146KB
MD5

e3c361bb249153b3cb0e4fd990ef5840
SHA1

df672d0a42357791313b2c0e516924f19b3dbae2
SHA256

1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1e
SHA512

599d798a28dd1a43a585e642fb10a3997ff1914b1b536eb57983b6857220703d45e83580c2796e417e54c1bbe43e68dd52247ea0c958423aa6fa31e91f10e58f
SSDEEP

1536:W7ZDpApYbWjIoPyPoLzV7c6Sh1XtkkkkkkkkkuC+2fraAmtQHyiNueOyAB5+0YJb:6DWpAoOhQSicJgyybxYm

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4361) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jre-1.8\bin\jawt.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemCore.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Primitives.resources.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-string-l1-1-0.dll.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe.tmp	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe

C:\Users\Admin\AppData\Local\Temp\1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe
"C:\Users\Admin\AppData\Local\Temp\1e1c2668ee7fe86862d4c87d4790626c93915a54891d832529f45724901f0b1eN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
146KB

MD5
2e89ab402eaba6725aadbbc8e34802da

SHA1
c566cad32ea3bec2980432e5db9d504cb8534082

SHA256
4c3795cae67bbe31692ceb752f6b6e3e91583fe1b0e447f4232b651b44ee8e6d

SHA512
6aae4351c292272a0167287f8d8a57695f4d2279db078f20dabc69a3164166efac36063668569e89ee03c679a415a22da983292215502f4951d5f27ea5f8686d

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
245KB

MD5
636c0b4f23b283533187606738586334

SHA1
60eb8f3d9fbae9f2fb4c490e7b004651abaafd73

SHA256
37497b25a8890a8bf6c15f66176ce4cca5f034038024741f009bd7c95cd5f4bf

SHA512
83b82c53e957cd5906c55e681ad662f74aee91ffa9ca73468e1eabaa4d1b54a292e801b4f0c129d7eb43042af3cd6f5db0da656d83f2986ab7d699298c7fb13c

Download Submit