3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b

Analysis

max time kernel
31s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 20:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
Size

70KB
MD5

eda485cd1ccd55fadd5d2e091f9d82b7
SHA1

b8c0c42e2df64e9cc46f0bf8e56732036fbd25a8
SHA256

3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b
SHA512

0ef8b28f7d3a98d0ab4ef9ea5b3a076941e8d5d3f6cfe95a192f7af9fbadb3c50ca6cee241fb5c23cb2b9ffd44e4efc4bb8ce84365525e52dd973fb0f698db24
SSDEEP

1536:W7ZNLpApCZuvIYYoYoN7n9anKs6nKsExVgrW:6NLWpCZLYpeU8xz

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1037) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlSerializer.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\.version.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.Win32.Primitives.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Mail.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe

C:\Users\Admin\AppData\Local\Temp\3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe
"C:\Users\Admin\AppData\Local\Temp\3526c3baacf95e0b112f9d5716819a5ed50c19fa4f2afbc2128eec53b28f0b4b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
70KB

MD5
40235f4c5394dc3157d6dfe35b884652

SHA1
adde45ff620bfea6dac3446f1885032aa945547a

SHA256
5c88b1b62d2e65c7edf2ae84af6a267c3dc7213094a7213be78c6b38cfcd5cf9

SHA512
b2b1854e16b6ec781c15e394f81d151361af48d0e41b2756865c5605d2aa51b7a683a49f9c8c6c347558fb2860b872de7242680cb302c154b1b354ff9b24c936

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
169KB

MD5
5ab3f201175d199f600b917af153296b

SHA1
103bf58dcdc4ba81216ebff22481d094e25d9474

SHA256
c33d952a8186de178e92d36a1bee1d1c1a99e2675a1a74530c36021e70499932

SHA512
2c4231ba28ab0c11578799d45f94cbbe4870e046a9d7551e8721c672cf67e4dfa14053e05fd39d7d8a3c8b63b09f90e63bd200e4a184272bd08a22132b3107a8

Download Submit