2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 20:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
Size

97KB
MD5

b1daf4a2d9eefd172eba467175deaeca
SHA1

bbdfb29f74f9efe7e5f3a1d8130432d3c5550295
SHA256

2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037
SHA512

77d08b525605992da1febba0354cdbc902498cfc7fb94758fa6e545f595d276bae8a3ec361f9508dbd052e6f321ca5febfaa83b9ba39fbe08324a4856748f4dd
SSDEEP

3072:6e7WpHIyRF9ESWu0SWujKsKRsP9fVL9ih2x2m:RqlIyFESWu0SWu86jYh2x2m

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5005) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XmlDocument.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Office 2007 - 2010.eftx.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ppd.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Xaml.resources.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fr.pak.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Dynamic.Runtime.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClientSideProviders.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ul-oob.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrjit.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe

C:\Users\Admin\AppData\Local\Temp\2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe
"C:\Users\Admin\AppData\Local\Temp\2bf895d4dd508112533af05a6165f4513f82c558ea62ba33f5fb0fde4eb39037.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
98KB

MD5
8ec34369e3bac1af5daf74199d9233ef

SHA1
bc4fd5c8b246aa9d17e36923b73c3f2e96da3b7b

SHA256
16a47beb330d64e71d34f30c774e779d07ebfcde300b4d071cbb7b1515ef8711

SHA512
978c4fcff88680c9bc11c33a39fd25c5531bc88715bfc704f5a9a9e4345970d3341bff17cf208c810beea826229acfba6ce082b8e5bb5b87bee668f4b6765a39

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
196KB

MD5
bbea2af81c6b42a524bc1b34cb165215

SHA1
22038eef6608561c4a80ad7e3522cc6aedab00e4

SHA256
5b472a15a6d9a7f90577938691935f3d85dd4fe5a9b17f0cdce5d146a1f6fc25

SHA512
1fb4ab728ea4430da118b4ff552fe9b0e98cfd93b81ced722447142de895569e030a90b21d8ddfb2a6837c5b1a75f8a98436466e74853450539772319d9f426e

Download Submit