09622ff39a20cef54f555566ccaff80149ec2e1ec421f3f140a15f3be30436dc

Analysis

max time kernel
119s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d12f3aa1553f20fd4f1a17742251490N.exe
Size

96KB
MD5

3d12f3aa1553f20fd4f1a17742251490
SHA1

f624fff52c21d1e817a2c7d833ca4bf03d8c74b3
SHA256

09622ff39a20cef54f555566ccaff80149ec2e1ec421f3f140a15f3be30436dc
SHA512

d3f214391ce4113f7f3aab9fe7dcc7a1bd2a49cd3258e3d48ec2849dc1bc8a89023743138917f5eddd2ba4fda202378966160b2dfb95544f5faea813b482351a
SSDEEP

3072:6e7WpMaxeb0CYJ97lEYNR73e+eKZOf7fX:RqKvb0CYJ973e+eKZOf7fX

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4086) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Reader.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\bn.pak.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\management.properties.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Crashpad\settings.dat.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\123.0.6312.105.manifest.tmp	3d12f3aa1553f20fd4f1a17742251490N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d12f3aa1553f20fd4f1a17742251490N.exe

C:\Users\Admin\AppData\Local\Temp\3d12f3aa1553f20fd4f1a17742251490N.exe
"C:\Users\Admin\AppData\Local\Temp\3d12f3aa1553f20fd4f1a17742251490N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini.tmp

Filesize
96KB

MD5
f8e0ac18a20a3d6bbc7f74161dc4951a

SHA1
fbfe62d4a8c01c8a5441ee9276c12fef82cbc39b

SHA256
9e456db69aaa9e0a6a6fecdb7f99cdd3fd2df9b8360d32d99c7b3d3751d28375

SHA512
ac70ec7184c8f25b9902e52d66d7f0758061a6f306bb5e1461f24f861a0cea806d87677d767d44dbec966c453203d31e61253b0cb5761ac2ba5eb45fd8fcd645

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
195KB

MD5
db92bd668d935090d234a0ea1bb3bb14

SHA1
cc716a567841664690a00483077b566a86907cd8

SHA256
49e361424c60f87f7b51ce0c34c2f62a261fa1186bce36bf52eb18d8aa16fecf

SHA512
ffa6c1f124a85722dd3c72ee8f1a0e614e1c541fe6c78257ed5e70e62849fb287350c1f627817cea28bb688a8017c86ea9babf74656b0964315de51f9bffd015

Download Submit