d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 14:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
Size

41KB
MD5

f85a59a98107052419e76be5db0bbe80
SHA1

2a28fe5fe509981f9ff82993c65e8bc7b277f705
SHA256

d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacd
SHA512

a8573bd8e72bd28df02673fda1fc8c0c726a6f5a2d7577a153895f643e6171dc89fa5b758aa472ecdb110e4722242200b43cad280d2d9dc357f652deead969a1
SSDEEP

768:W7BlpppARFbhjbhQYjY+WyKoIWbsHfySkT5GeQbyi348oWc1RPOzkjId6q8UdrSd:W7ZppApBMyKoIWbsHfySkT5GeCyi348a

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5101) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Xaml.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationProvider.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\FormatCopy.cfg.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\optimization_guide_internal.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Input.Manipulations.resources.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VVIEWER.DLL.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe

C:\Users\Admin\AppData\Local\Temp\d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe
"C:\Users\Admin\AppData\Local\Temp\d3540c2b325f2893b317c478365fddb2cb09c550fe155ba66bad4a743d7fdacdN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

Filesize
41KB

MD5
9012f0c66d342de469bb5c1ec20f636c

SHA1
445d3f1a5d0b7eb7bce615fdbcf8f184c852c5fe

SHA256
d8bff3ab91447858a666d7997ca7ef232e832d9c7975618a466d53f9ddcbd25b

SHA512
1c65ce93dfd6c1c01dd8822e506df4675f464969ad4452c3b5aa494ccf41cada53b6b85bbc7d230b205e1642f6452db57ddeb17afb973a0f060c51b6c242e524

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
140KB

MD5
8fb6d87efd3ea44dcf724204caa97b85

SHA1
015681bf79ba44884d0217bf4ebb4346610f4855

SHA256
57d4f34d4d980bcd04c5ef02b34e75252fd167d75a99909aa26ad71359e62d2c

SHA512
44219e58b0dd731d03abb3ea5242c240e4b498a44726705038b8f0802faba691b8e9b3685e774fd50a357b6c0c681ef8299fa4d97388d921abf1ec74be6584d1

Download Submit