1cf03f98dd4f66eb2187a06880670e6bee3bfd2fffb144b4041eae74fa59cbdc

Analysis

max time kernel
120s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff08491f586ea8cd8ac3562a3965df0N.exe
Size

43KB
MD5

3ff08491f586ea8cd8ac3562a3965df0
SHA1

227965832c76d963685ca8ef289fc72cab8b9599
SHA256

1cf03f98dd4f66eb2187a06880670e6bee3bfd2fffb144b4041eae74fa59cbdc
SHA512

c37e2e5751e077305d82f1c7c63f7019d7c4a1367018c74ed2df4fcd08af6f480e687f705fd36b28d1c0abd62b5d5d64a7879faa2ceaac95ae59cadb2efee273
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3e4S04SdHIl3DG71ul3DG71z0V2V0V2U:W7Blp9pARFbhs101OlkYlkI

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3888) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Classic.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-PT.pak.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Primitives.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoDev.png.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Expressions.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es-419.pak.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ur.pak.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	3ff08491f586ea8cd8ac3562a3965df0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ff08491f586ea8cd8ac3562a3965df0N.exe

C:\Users\Admin\AppData\Local\Temp\3ff08491f586ea8cd8ac3562a3965df0N.exe
"C:\Users\Admin\AppData\Local\Temp\3ff08491f586ea8cd8ac3562a3965df0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
43KB

MD5
483e16c72c1dfbaa5716d9160d7cf36b

SHA1
c4515c15aad2cb9311c4b5f6c1a2bda6969d1c62

SHA256
ef074dc2dc8ad64183607b49bb769f0610cadea4f67249161e479e945451bb9b

SHA512
555885f59e4949cdf4f1ced87957b82f4b323f75d71910d5daa0c6387da4a0f8a5aefb1e90a4e581d142b07a90765fd2d196406ffc7f2d85f52701da2928ab0a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
1ffb861bcd04ed030a0904bfccc31d7e

SHA1
8a2e5b29f327deb6dfea4e6ea5027a128d9e0618

SHA256
e221950283e852f19096e984956845af86c357c983ead75e7dd598990873d1b4

SHA512
a9d67d7eb183541745bda417a46bc7b2f087b1e74f2d69a250dd05dedd7646f132c30a0eea5e91595b27d9531592e7878e5063b4191d439e5bb11d03d4656680

Download Submit