0e782bb2957c34b6284f775bce477f6c396f52888f22d65130107b948d70389e

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1cf46c5d3850acbf19d2fd2937c580N.exe
Size

41KB
MD5

3f1cf46c5d3850acbf19d2fd2937c580
SHA1

e546fce54773ec898946642ef4ad74f61f6a2e93
SHA256

0e782bb2957c34b6284f775bce477f6c396f52888f22d65130107b948d70389e
SHA512

fde5c55a1a8e5392a68929b09a4b3fa541c24d785acc273553727f9083e5465e655fc3d0c5956f40e29c96c9c0a081a9a866d6a2922ecc375fd283317936e01a
SSDEEP

768:W7BlpppARFbhjbhPKueKudLw1LC5XQo86KlsI:W7ZppApB785XQo86M

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4688) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationUI.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.Brotli.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\System\ado\msado26.tlb.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	3f1cf46c5d3850acbf19d2fd2937c580N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f1cf46c5d3850acbf19d2fd2937c580N.exe

C:\Users\Admin\AppData\Local\Temp\3f1cf46c5d3850acbf19d2fd2937c580N.exe
"C:\Users\Admin\AppData\Local\Temp\3f1cf46c5d3850acbf19d2fd2937c580N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
41KB

MD5
7839962639eb32e4e3b90a117a13721e

SHA1
85075397c01fe021c3331dd02d352bda9e9d66fc

SHA256
ca80516ee38439d7274b05aa9ea57e661c4e1612fb28c8a1cddceeb766b88fbf

SHA512
3087661f0e5078f306c0f8fd033fec25430bb7286eb5666c604c077a578b8e3d0f8b12ea3a694c3dd39f5c6683bd718149897cfcaf2d6d1d9fdae0822428f9cd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
6ea5a26eb4a0fe49fd8a0a1a7e2fde96

SHA1
09025feb096149a8933461805aa62d81ef02978b

SHA256
b5eb7c180f18f28b04b251f2c5cd3e95de330cf7b8b920437d0b95eb7221bbf4

SHA512
8a7e429df5e015dec96b3000fd19a8d69b638c05601591f2e8ff2a56e5c3dcaf3816287a951dc21d01c2a48bb35f4928297147817c7de1dccae93d0a9927360e

Download Submit