6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
Size

72KB
MD5

77238c9ee1dbbc82a15ed9734652ec36
SHA1

92d7a0dc8836bf9b29d3672bbf7bcc0b09e1a6e0
SHA256

6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa
SHA512

c1740918b5365efc7ee6ab393cc1cd1651a6e818cf9084d5307765a0bcdd1e557b10572093d6ee82cf288a10ba7dffa489104ec2b46e26bad7429e6d2fdfdd0b
SSDEEP

768:/7BlpQpARFbhIYJIJDYJIJPfFpsJcFfFpsJcC+3mC+3meDAfABJ6fABJwEXBwzE5:/7ZQpApze+eJfFpsJOfFpsJ5DEcR

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHIC.TTF.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\SLINTL.DLL.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Java\jre-1.8\lib\tzmappings.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-pl.xrm-ms.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsFormsIntegration.resources.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\db2v0801.xsl.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Xaml.resources.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\ReachFramework.resources.dll.tmp	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe

C:\Users\Admin\AppData\Local\Temp\6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe
"C:\Users\Admin\AppData\Local\Temp\6ba2ab853c022a612a2d858b1dffbd5b257ff8da941eadeafd27fb7be47f56fa.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
73KB

MD5
0133e10bfd60d01af281218a9dd2547a

SHA1
e944cb566249da2321b8a6252cebba2e970db64a

SHA256
96f5c6dffe60401ea4dc3cc0aea183c42c1e634f1090b6dc6b72d91bb1c0120f

SHA512
8bf7d01ef8ba428cc69ddd068e28a345f904da68a388a26e431cb85d9f3463e2096c76082ee2a51792638c9c6d3d182a17248de568c4958eea7ed3acd4498d6b

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
171KB

MD5
4a3dc57ae4e04c2aa57aafed85539b47

SHA1
43152f6daed3acfdd91381f136105bd158e4899d

SHA256
d0a8dc182cda6d928acc3841d9e7410f4eaa1f03329bf2f0ffeedd41953da9fa

SHA512
8773fa3edf95d741d350c29b3b0d1d6e1f5ac64b0378f3a2ab727ea717c585234a2a49e80fca657c367350a229d90c44c224c468043eaa779826ed7f98078663

Download Submit
memory/2228-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2228-1952-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download