3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
Size

56KB
MD5

939ab7a0f9a2e3dfa4f48dd646fd9fa8
SHA1

7f3e21e4ba05f15f5384be0891f9e3cbac3d54c2
SHA256

3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83
SHA512

071a585717e915d95080a4980a4d3bc495ec8d1fb19ccaafa6a506faa75a32e9b7c6876e7d6aee7091e74f032f6d8fec339152854bf4f41e2a61d40a7ac75d8d
SSDEEP

1536:W7ZppApBULcfpHLcfpyDA6swXwTfmKJfmKj:6pWpBwchcwD8wXwx

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Java\jdk-1.8\jre\README.txt.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationTypes.resources.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore_amd64_amd64_6.0.2724.6912.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\v8_context_snapshot.bin.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.CSharp.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe

C:\Users\Admin\AppData\Local\Temp\3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe
"C:\Users\Admin\AppData\Local\Temp\3dcae8319f40bfd1761c4369ce7168c2035d2ccd18392c97fe8932c5fab64f83.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
56KB

MD5
fcffa00e4c26af6fcf634a46a5ded37d

SHA1
5d012fc61b4774769ef50cdcd721fda0f742ac82

SHA256
1bc17550561bf3c3fbb25b79b26e8e228406a04518ece4df06001ed0a25cd425

SHA512
27db6b39966acce5309382faf64bfd8823c4fdc3ccd9515a57cf13a545b1b30d8b8141f996b2d23ec06b7bf71629328e20ee3aed98454ba3415ddcc4e5a73adf

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
155KB

MD5
18bfe011e0d4177d141f95ca83ee677a

SHA1
8e81b15e7e3ea94eb2089076794bd1a3312444aa

SHA256
4b7405773e35a55e9a9c671730ca4c8dfd56c4a41eb432eeb8799fae132784aa

SHA512
50e965c6ca4df0a1d6dc0503cd44866559ad97cb08cca16858ad7f043e6b119beaff62afafe6316f8d3faa9f19f4c9c0ee41712fb425371e3ce4dd1eac77f533

Download Submit