8f3bf322c55f46f8665aead9ae0ec473dcbb91746447154b7d0a57ad641e9cdf

Analysis

max time kernel
119s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3abf5108bd5e0e49a10ad7fcc82fee40N.exe
Size

45KB
MD5

3abf5108bd5e0e49a10ad7fcc82fee40
SHA1

4e2e303c3022effa8be409641762f4ca6004a54a
SHA256

8f3bf322c55f46f8665aead9ae0ec473dcbb91746447154b7d0a57ad641e9cdf
SHA512

1853c977685af4ef4910ebdc3a961fefef96d91c2d6283620e9d672f0c2a44641d2bc2f327f44fd1293e6aefeecaf2b7d85abf4275a50ce54f6ad1d02812fab8
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42Lcfpb2N231F1pjhOK3JjhOK3m:W7ZppApBULcfpHLcfpSo3fTj3Jj3m

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4681) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Primitives.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp	3abf5108bd5e0e49a10ad7fcc82fee40N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3abf5108bd5e0e49a10ad7fcc82fee40N.exe

C:\Users\Admin\AppData\Local\Temp\3abf5108bd5e0e49a10ad7fcc82fee40N.exe
"C:\Users\Admin\AppData\Local\Temp\3abf5108bd5e0e49a10ad7fcc82fee40N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
46KB

MD5
9d4daf06b7709cab4e58bedba3acf68b

SHA1
19c672b5d929d0fb3277762270857094bc25d819

SHA256
3ddacfd0269f25132fab76ff9bae5e37aae440f120ff12547662c5a68f2543a2

SHA512
6066941eda5f0415636781d1e86f2e6f9a0292ed3ba25661d2d80cd884354fdd57ee5e00b25dce3a82fb5781006732e15c4f6677eeb4f21d7a05edc803a809b4

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
c88c6c2ad2aaf0b461e8a43eea244a7d

SHA1
6f7d912b3e1666c1267f3e47cf5fe53e500a4977

SHA256
d61fc229fcd48c3e682423f6de4452a97608e0847c64c8ea7f0674609bd34e72

SHA512
05c349662ab2e66220b0eafeb42b3f7f0be6fa4d569e8dc80f544161d025085c5306bad89e3f3aad2f340655aaa118a78a6ef117acf87efdd58fd1bf57df7bb0

Download Submit