Analysis Overview
SHA256
e11018210b56b8a99f392d68cbde4274171f138892b2fe9c6cb1c3a09e81d7b0
Threat Level: Likely malicious
The file e11018210b56b8a99f392d68cbde4274171f138892b2fe9c6cb1c3a09e81d7b0N was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (5027) files with added filename extension
Renames multiple (597) files with added filename extension
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 02:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 02:39
Reported
2024-10-16 02:41
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
105s
Command Line
Signatures
Renames multiple (5027) files with added filename extension
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e11018210b56b8a99f392d68cbde4274171f138892b2fe9c6cb1c3a09e81d7b0N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e11018210b56b8a99f392d68cbde4274171f138892b2fe9c6cb1c3a09e81d7b0N.exe
"C:\Users\Admin\AppData\Local\Temp\e11018210b56b8a99f392d68cbde4274171f138892b2fe9c6cb1c3a09e81d7b0N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/5024-0-0x0000000000400000-0x0000000000408000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp
| MD5 | 57cb439d05d3eea8ad4ecf0740ced269 |
| SHA1 | 84aa4ed62c67268f6953029675e78a3200cfbecd |
| SHA256 | 4dc9e7c4258038809db71b02c9d3c95f7d7fc034a9a947f6dc03ba2812fbcf23 |
| SHA512 | d2d3112d5af52d4a0df4254338b0e093823bd2055b566c9181c372197779f771d2ceb9aaa02f3d3d8a003ecd35d7ee583f0922587b9300a44aacfba002d811fd |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 2f9293f328811bf706ff214c9f1d9d7c |
| SHA1 | 2489d7e9cadb3077bd4ccb9fc50bb17b49dbf40a |
| SHA256 | 37e3a58e15905d5e8a1ee7f568cbd6ae8516e2950f8730e332981406f79b1ff4 |
| SHA512 | 951118801bb407b69ea3e9bc24452b197da8cda0ac2c48dbac9a9f25d99b81cab0f38fab3c0cfa41d1543f6b1db0edaebba3b40cf3177f0fc1b23c78d592fb2a |
memory/5024-782-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 02:39
Reported
2024-10-16 02:41
Platform
win7-20241010-en
Max time kernel
150s
Max time network
19s
Command Line
Signatures
Renames multiple (597) files with added filename extension
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e11018210b56b8a99f392d68cbde4274171f138892b2fe9c6cb1c3a09e81d7b0N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e11018210b56b8a99f392d68cbde4274171f138892b2fe9c6cb1c3a09e81d7b0N.exe
"C:\Users\Admin\AppData\Local\Temp\e11018210b56b8a99f392d68cbde4274171f138892b2fe9c6cb1c3a09e81d7b0N.exe"
Network
Files
memory/2244-0-0x0000000000400000-0x0000000000408000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp
| MD5 | eb2671ba906ede6d7db334f614e22e57 |
| SHA1 | a281f5d0de6bb58be6a6a1db5750302aac9328d8 |
| SHA256 | 6e2fa3ebda6f78aadc9a557a14f17fc26049e1986c1c6a12253a817057e0acb0 |
| SHA512 | 7093fac570a25dde6e4446a4230b2fa1ca878561bb9bfc4065d56375ca326376c78f865ce4302ff5487bc26e930c7b807a70861a6bb05232186c37bcef2c719b |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 64249fdebe228cc53f2a0d0ef9cdd018 |
| SHA1 | 35c33c97c4faf1fc305c7cee6993e8c301059821 |
| SHA256 | e88d3cea98f1dadb243fc2cf520b29168840d3a9c03db368a0a1dafb880258e8 |
| SHA512 | 28d560ba14cfe1d54e251bac56133a031b6565c29b6a14e6f19d1c802e0be32d6269e51a27069672ffd4e7ea5a32c6eaacb258f527963a7ed462dcdbb0f54e5d |
memory/2244-22-0x0000000000400000-0x0000000000408000-memory.dmp