0e482d99ff551dbfe591eb88e94e4656702d121a4dcdc2a5de7de76b30e551cf

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3857195225483ecde583a58a46435a20N.exe
Size

38KB
MD5

3857195225483ecde583a58a46435a20
SHA1

44121a76996be7ff30fb29022624417fbf16a6b6
SHA256

0e482d99ff551dbfe591eb88e94e4656702d121a4dcdc2a5de7de76b30e551cf
SHA512

b5ccaae3a5d9c2b0e2e7fb5cd422997749a1db916f1d2881af7bc393a891835f67ce451676c2e4823dca59582d5da9e273763c379318e5f2f4d05a5e608e052f
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLg:W7ZppApBULcfpHLcfpyDb

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4640) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Registry.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBPROXY.DLL.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\it.pak.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp	3857195225483ecde583a58a46435a20N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	3857195225483ecde583a58a46435a20N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3857195225483ecde583a58a46435a20N.exe

C:\Users\Admin\AppData\Local\Temp\3857195225483ecde583a58a46435a20N.exe
"C:\Users\Admin\AppData\Local\Temp\3857195225483ecde583a58a46435a20N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
39KB

MD5
075cd67a93e2d102993b63f3037fc528

SHA1
0f8fc15d26632373a2fe50b50fae5ca9846c6a05

SHA256
f0bc37e73e70b7e95c05b87cedfcaea4e2356640c006286207bf60fe8d509c53

SHA512
93fa161e21d5d7c48a6512694a6365115fc061705317e0f0d922b8c87b745da74107d226361054cb78715b611d9b1b35f1752311f1ceb57e8107dcd6c4b4beb5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
4115c4dc00fee1654b58d8244758abf9

SHA1
3c8930d915cbcb88200072228d734d94ad8b50ac

SHA256
f9fa8bc599d56f8833e296a1fcd6de2ff8d861119c0ed981cc9354464c76dc11

SHA512
7fc57985118c86c636c550b5293244028e9f7e7ac005561396bd84c9f84aa09c092f9ead14d03dca5ee5f92db1cf755d42a299b82b1cf728bf4e995eecdc373b

Download Submit