d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
Size

88KB
MD5

4e5b5ebb06a937100c91efaf6d7b0741
SHA1

1e8f55e05eb64244a16d8ffb6cbeea792e62a0be
SHA256

d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d
SHA512

7c3ffa6cd0b8dec91ccfe4e22788bb115ca61fecadc499a9dac3c474657d05a299363ccf99e9049101d61190629c618523d79d77dd5563fed07fb630fa12039f
SSDEEP

1536:W7Z9pApQESOHepOHe8G+6E65dyGdykNdNBKggrXF:69WpQE0zxgZ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5028) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libcrypto-1_1-x64.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Controls.Ribbon.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe

C:\Users\Admin\AppData\Local\Temp\d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe
"C:\Users\Admin\AppData\Local\Temp\d3cdcb34256b7f3378cf361d616b4cacf185ab654d91f863baa28a768f51327d.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
89KB

MD5
4584cb241d47e933cf97f9bc6ee79f05

SHA1
0b6ffb074862b27b3f0cfb0b2856b9d3be85d6d0

SHA256
e6ea466d900766bad019c934ca057eb8ce83df31f697672f1b70c824833683d3

SHA512
6a15b46d97f4c3cfe60bbd796d2632e0399a5c9f541ce220d1d46918ec315fa3f28f222007fa50f0cf30f81777548128afab709d629587e9fdf1c5d7b0c6eae8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
187KB

MD5
b1daa38c4de923a7738d1986f222476e

SHA1
68790993486c00c7ddb0970f4809489ad9f69bca

SHA256
5822212f676ba72ddc912605d348971b0ad7f2b2e9b45c0ca5ad0622e3ced269

SHA512
2f480e31f7598212be486f6da6bfebc6ec32f9938cc032976e8a3ddd9f43b1f11cab9edceb97b376e5965bfab0666ab768a357c08305e40fe5ba275e6f9cd7f8

Download Submit