d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 05:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
Size

50KB
MD5

3374c07ec08994556f7fd74f3dc4a4a3
SHA1

5d9a10e05a3dba5f8df6d12ddfaebb182e45be1e
SHA256

d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd
SHA512

52953830f4c36a348cb386acbe4a86cd47c6a3e06288cbdbd8f836af02c63c67bd6d6222f8fe5572a8ef4eab1bbfbd31b51d9e3e21d6008cc25630040b148a41
SSDEEP

768:/7BlpQpARFbhdS5c5mRawAlW1VkRawAlW1V35h:/7ZQpAp86MLkL35h

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ppd.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.config.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Common Files\System\ado\msado60.tlb.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.boot.tree.dat.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Locales\fr.pak.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe

C:\Users\Admin\AppData\Local\Temp\d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe
"C:\Users\Admin\AppData\Local\Temp\d8bbfb5889e4baa9dc93b2ea69049895c7eed42b32d1f7a1dcb4769e663807bd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-807826884-2440573969-3755798217-1000\desktop.ini.tmp

Filesize
50KB

MD5
31ee4f9e82e980e92094c4e998f14c2f

SHA1
4196a144fee92d1df043c43e3ca2c5f5f9a14e94

SHA256
09eb5cfc10956d74baff9d14195a23823a4bc8dda2ecf7a24165ab9d6b583a1f

SHA512
e80f9e13c8116348da0783f0cb6b66faf6655e310e368cc9c10c7fb38615173b15d47a1b127a184cf01f6dba7455eb0919440e31061c8726579110ee4f0399b1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
149KB

MD5
6baec4d52ffe8f201301cf49c5068e2d

SHA1
92cfdd1acf30febd443954e6937f7a6f1ed7ca69

SHA256
200100a05f9d0849b96eddbb977b18f76573caebfee2cdf884e11aa7f3cddf28

SHA512
cf84f844635df22a4e13f709560a6754fc38277b0ff84503391a489d1170bc13106c9d0b14e7c34d38da42565d21bca9750863e4396f08f5a57ce3996d6b6be3

Download Submit
memory/1632-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1632-1954-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download