caa8605f91e11fa97866de898432330fbab4e640fe192fa2a6f28ab223d77b96

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ed030e6b28edd44a7013f521c8decd0N.exe
Size

75KB
MD5

3ed030e6b28edd44a7013f521c8decd0
SHA1

66d0006410ba7081548a6d7c6861df01494c762e
SHA256

caa8605f91e11fa97866de898432330fbab4e640fe192fa2a6f28ab223d77b96
SHA512

9ac667f826b98afae0e989386b1a68fc262756e7f9d9867810046cdf7f2fd20fdd567c96de498327da0ee49f98ad8be096c3a07fb2bb11ae7c6a6ff5098df9b7
SSDEEP

384:GBt7Br5xjL9A7AgA71FbhvnwR/s4NW2sl4c3KbsvrTgOzkJAopyVFlgLfQf+PZfW:W7BlphA7pARFbhM0KW2s9B4hofAe

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4367) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationUI.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp	3ed030e6b28edd44a7013f521c8decd0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ed030e6b28edd44a7013f521c8decd0N.exe

C:\Users\Admin\AppData\Local\Temp\3ed030e6b28edd44a7013f521c8decd0N.exe
"C:\Users\Admin\AppData\Local\Temp\3ed030e6b28edd44a7013f521c8decd0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
76KB

MD5
20a05d430fab92515ce4692839d86e50

SHA1
e936c4cda937e129f07d9e8f7b6f3c797e26b1a0

SHA256
ef749a556535e5c8162be573daaadbfa734ede598a33c5c3e41cceb9c6980a89

SHA512
025ea17f2e04ae91bea8b6d2a0de7c57b54e3a6db60bb3cfdd3b63325e5fec3b02f83fbfd9f46a3ca42de97e1a8f2516b97f839d3e74b558ef80dee3845bf793

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
174KB

MD5
0bfe99d8a1462c508a4e5481f5f6d312

SHA1
cbc5e9d7af737ed01e5da8f9e91ba200295df3eb

SHA256
b85cb9a748b7b540e4c4d198e41306643ef8310bb018a86950974903a9d098f2

SHA512
c8f67a778a99f4570f0ab15c7fd7440e9d4cdba15d2d6c352bfbbe03a5f13a0d1c7422d0220ad8bef87d4389fae9518b30ec217e9b9d8bc41b3b28bcf9b8f877

Download Submit