bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20

General

Target

bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
Size

64KB
MD5

5dd4c8206c9f4c2d46a82ab44264d7a0
SHA1

904ac2ce958b939e618001c4d3341836484a1938
SHA256

bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20
SHA512

beaa06bf902c6dab88f9233dc2f46cc4cd718da662823e7895a23560169d8a7a9cdbc2f348b7df370ada163b7fcce5a37dc668ac596539f9ea4da5b8e9ac5dad
SSDEEP

768:W7Blp9pARFbhQSox/6Sox/ME4JAIAepE4JAIAeuDlmlQPc3f6Pc3f5TGotuMOiJY:W7Z9pApQESOHepOHe8G+6E65TGAI

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (5191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.Extensions.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msvcr120.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Json.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Extensions.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Windows.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Controls.Ribbon.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_clienttelemetry.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp	bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe

C:\Users\Admin\AppData\Local\Temp\bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe
"C:\Users\Admin\AppData\Local\Temp\bf6edbc8e912cf339f8735f109af7c666d2998cda10a5b7ec5f3ba07a2e22d20.exe"
1⤵
- Drops file in Program Files directory
PID:4496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1132431369-515282257-1998160155-1000\desktop.ini.tmp
Filesize
64KB

MD5
530f84eae1e9e5f22c3d88c41e2c39c3

SHA1
631b5105c80da6b1b65724acfd8fd936db724bc1

SHA256
b7d58bc126a0fc33d1bcf59d0fd4bd13378957224d02e7192324e723b9ddde11

SHA512
5a379165251e00b36dbc11798dcaee81d7b07ad48616c3a45adb02614d398bd540a968b1a27a6181f286223d0153056e7de3ef3d896d163c67065ce4773a4d6b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp
Filesize
163KB

MD5
66ffc2982334874d3acc71da43edcb39

SHA1
cab8e0b1b364c62c27e039a3c361bcbc47230297

SHA256
6dc358b359b14fce4e9a25c5b0b69c6f72a307af3cf56b9a099bed29b57e85aa

SHA512
e9d606b5f2f1030d61fba695eb7a589eeb7004021ce7ce5d472ce9dbb6558feae5d6ed4a276ab2d5a573dd16f59f73dfcbc7a9d63997d90e105c5846a6ff42f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads