44593a607c713f108bfdc8dc6df68a56aefe88bdbbe7cc314b537a6795409f30

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b43e989725f33f482bda18311486550N.exe
Size

54KB
MD5

3b43e989725f33f482bda18311486550
SHA1

fe832507f74414d4e495693dcc2e7e246785aaec
SHA256

44593a607c713f108bfdc8dc6df68a56aefe88bdbbe7cc314b537a6795409f30
SHA512

bd5307372f5cacd6157df45c2f0dea8cc840673a607145f6b51284dba7dfaa1f0d853fd669c7e1c16ec30aef0f9756668002fd963d09cc41c25f1722c0dc3ac7
SSDEEP

768:W7BlphA7pARFbhL801VvM801Vvv7enLgk:W7ZhA7pApw03vR03vAgk

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4109) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationCore.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Primitives.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Configuration.ConfigurationManager.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ppd.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp	3b43e989725f33f482bda18311486550N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b43e989725f33f482bda18311486550N.exe

C:\Users\Admin\AppData\Local\Temp\3b43e989725f33f482bda18311486550N.exe
"C:\Users\Admin\AppData\Local\Temp\3b43e989725f33f482bda18311486550N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
54KB

MD5
20dd158ec447cf4ba4860738efa41b9a

SHA1
19190380fa8976713c91a82ce6f50037b16dabd7

SHA256
7b175aeb567731078e014ab3b3dba403050cefbe9302afde875ae63de5f2e4d8

SHA512
4415b90f2f311f0f3ad8f4b03e0d6410e442df12655b77477f6a927c67a8fdaa7984ed2d997610ebee8429f9239073bf48a60196c7e128880a09020ba0d9f282

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
153KB

MD5
0029365a55eb8c704cbd22c642e3b4c0

SHA1
25b70336a174021dad85680f3cd5691886f04194

SHA256
fa0cb5ff88df02026776535c896998a3f217c611e6f5cd64b005c1d5a349cb21

SHA512
fc14c577cdc645e6210665c34c422de2b4867d541892c9bbf765aa4b96eee499d8b8cc7c20b266ceaa52dcad9b0f01296b339cb99f557b51113b4723b8bb28cf

Download Submit