f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
Size

70KB
MD5

a6cf0d70c215c4bd9015e502963ab3da
SHA1

96dcd1095eeaf7e3af2a934fa4834e8d255b1b59
SHA256

f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc
SHA512

7fbca41b0ea80bde7b005baf3e14e0311f829dcbdc76c6ea9a5e5838ccded13607a5aa11d83e79b48e5c40f5af5b30dc440bc5a5b9912b8b71a547e441f80a0b
SSDEEP

768:/7BlpQpARFbhvEXBwzEXBwLtAc7Fc7u595QUhUey5vhgCy5vhgcTt:/7ZQpApHou595QUhUBgtg6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4867) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKExcel.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe

C:\Users\Admin\AppData\Local\Temp\f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe
"C:\Users\Admin\AppData\Local\Temp\f3d051a2613f4fd5e7fbbb04cb46338317bf1f794a2dca875ac1321c80fbd7bc.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

Filesize
71KB

MD5
db401f5a7847593a3fe15a914714afd9

SHA1
2b3a4b13a6010d73d18aabf8ecb53098814faf6a

SHA256
bef69599fae44ced57a24a28b41c013585c1c53a08d07b1e20a9557c9d1e8a57

SHA512
4bec85448cebb9846bc873db4dc87db6c231ca85e08012ec4e34c9428eeff615346a884eb8ae5f26e72deda713cc5385835a64614c1dbdbee4649a13301477c5

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
169KB

MD5
07b460eb9a2387fb15a01da51c990548

SHA1
995e3dcbb2ad4946079e8fb161c8696b45de404e

SHA256
58cf16631387cef368bc36d33724fbaf94b25f6dddecf0fd4f84ba58c3ea80b9

SHA512
86d1903b2c37bf876f6463324bef9ef901e3a2bc054c9a07f5ad2905f0e1eb9c43cc7a389361091b67176770897d9f50cd8a0e3eac6b802aaedc39c3679c837a

Download Submit
memory/5068-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5068-662-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download