3ecbc7a119418dfb1f8310bb66653dbe3e170620dfb50158c5900202d28a31f9

Analysis

max time kernel
120s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d3d6e7211b822e6cd25dad1e9692be0N.exe
Size

61KB
MD5

8d3d6e7211b822e6cd25dad1e9692be0
SHA1

ed6ddb6949664f75f95a918a389ce69159ddddea
SHA256

3ecbc7a119418dfb1f8310bb66653dbe3e170620dfb50158c5900202d28a31f9
SHA512

c5f71d23fcb21b50d46fa0df27ec78824a5d811947b78ec61b252cedb3cd672faa5814f0f08710fa2e1ee4becdb46de86052507621342ac6cc375413ff5d5121
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpVF/MF/3Nw/Nwk0cEMdV8IEMdV85/GG2GQ:W7ZppApBULcfpHLcfpX2/Nw/Nwmxd1b

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4606) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\BlockResume.rtf.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Java\jre-1.8\release.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ppd.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationProvider.resources.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\WindowsBase.resources.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\msipc.dll.mui.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsBase.resources.dll.tmp	8d3d6e7211b822e6cd25dad1e9692be0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d3d6e7211b822e6cd25dad1e9692be0N.exe

C:\Users\Admin\AppData\Local\Temp\8d3d6e7211b822e6cd25dad1e9692be0N.exe
"C:\Users\Admin\AppData\Local\Temp\8d3d6e7211b822e6cd25dad1e9692be0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
62KB

MD5
8e2379b8d9ab21b76a78e5475acce502

SHA1
3063b5ecf775b367b48b72bc8c247da0f8636d3d

SHA256
a42ade3bd502ab76574766affa5afc05cd8d1837333971eac1468689e2f8a44e

SHA512
ae17396fb9a5bb3ea558a278b89e6c9463ddfa5055f571ac3cfc2e73df44c60fbbec96a277fbd766d5ee00917d5bc84ce9466baf6fecaddc3a6ad1c87def39b8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
161KB

MD5
aae5d126f55dd876aba3edeb0fe3ff28

SHA1
05b526539cd00d9c50db2b67888108ac9f20595d

SHA256
dff12323affd7184081a9f118d9580942ce424312cc8d9881a7afdfb3f92bbbb

SHA512
32ac493f4fa16dcdc9a3015982048b96d9dc972cc013eec95aaf99a51412be4e3f74df82172224a0fde5659aa8cf7c44abac915ee6cbf95b911d6d5e54cdc57a

Download Submit