1f06200c38f9dcc096b0d31c6f607ae9b87463b349e79deabfd92a5ab1c2fe3b

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 01:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f1e32eaa1a7567507717a01040de9d0N.exe
Size

60KB
MD5

3f1e32eaa1a7567507717a01040de9d0
SHA1

aa9cc9c4b7b766dae9feef8bdd73bb2663ebe53f
SHA256

1f06200c38f9dcc096b0d31c6f607ae9b87463b349e79deabfd92a5ab1c2fe3b
SHA512

d4ceaa42320956dac8e1472268f3f215f7ea2c6ae15a4662e2291637ede4c99c0669aa5172f67e4c545b08c0181d239f7b451edc8115579414de49db440d90d7
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpVF/MF/3Nw/Nwk0cEMdV8IEMdV85/U:W7ZppApBULcfpHLcfpX2/Nw/NwmxH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\sqmapi_x64.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsFormsIntegration.resources.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	3f1e32eaa1a7567507717a01040de9d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f1e32eaa1a7567507717a01040de9d0N.exe

C:\Users\Admin\AppData\Local\Temp\3f1e32eaa1a7567507717a01040de9d0N.exe
"C:\Users\Admin\AppData\Local\Temp\3f1e32eaa1a7567507717a01040de9d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
61KB

MD5
a7981c704db44345000157258d24ce93

SHA1
252864164dd783c765de38f9fce5fbeda4b4c646

SHA256
457b37fa2ee524aadcecc3f3bbc2bb48a3469971509464a9773a5c00e4e4fac8

SHA512
eaca96f5be099d26c215daa1104b7b5a5a6e63077f56602d219be4234342900ae61f3e7cfce0db4da8c9656672488fd129a5ebabeebbd381f5f02fae50e72e01

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
159KB

MD5
f7b0fb62bf5a50aa7adf2c37d2a7bba7

SHA1
018188492549e897fbc1522afa392a525ce443d3

SHA256
05b36846b1927aec481438137b3d66d834cc37ac35ef319b8b904b5139fd6225

SHA512
8666edaee296436ff52904f22eb18f5046b3230a4fb7dbf0eb6e16c08fdb9029c6b023418bab842809c4fa5844bae4328a4b9803f95f95af9d189546ef7a1d4d

Download Submit