a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
Size

104KB
MD5

5d4ea5d003e21b89670085c42f217d6f
SHA1

71ab1b8290a8c6493d4c886d8c14ddc4bd0fbf43
SHA256

a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1
SHA512

cb0fc925b68cd58a7221638455ad3ff59d1f05e2b0af8eee9be15aef77f525359c75252266371586d42ba792ce84d3b54579831da1ad925616350fdf4c858333
SSDEEP

3072:6e7WpHIyRF9ESWu0SWujKsKRsP9fVL9ilV:RqlIyFESWu0SWu86jYlV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4718) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.Common.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\gu.pak.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Luna.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymsl.ttf.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe

C:\Users\Admin\AppData\Local\Temp\a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe
"C:\Users\Admin\AppData\Local\Temp\a3705042b780e8576dd0678ceb0db8d01d4ea8b9fd170c57a8359399366fe9e1.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
105KB

MD5
df7bdf93ab8a350e14a51da58732a61b

SHA1
d80329229088185a8123aef0e0fe97d18d781788

SHA256
e7d776b7f2d96ec1290133fc8b69e7ddc9efc99a70cc25f462cd3f122c979f7a

SHA512
69bee99e84f908d807229e8e9c9b92d7eda6857b45f1e0225036583a272a14d16c5336bb7b1eae702c5f594b9d38ad41d1cc62f9db6ae50c4e65729a19b1f75e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
203KB

MD5
7f1294f514a5b87a41af1bbb16328857

SHA1
b280acaeb28840f665ff0cd0ade5342a93bedd64

SHA256
3698eca1db070939c20cfe7fc32866024916cb63bc459bb7ec51b431ef36f1b7

SHA512
bc1a69d00c07df1355dd691bbb7dbb9dc0608322df19e835485304efbd22293f1adb633d1199b9b3073c112e4ec35c5599d0672bf6aee836475ddf66cd424d86

Download Submit