b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
Size

36KB
MD5

c15b624b049f6f3b019ec1e76911e4f4
SHA1

c43ed5454d89cd494a4780ed25cb8ab61901f8c8
SHA256

b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8
SHA512

0062eebe14a719bfe7cfbfdb74ca5709aa42220e5ca5bf91437bd19489b14bdf94abf139778e8134bc03dba9dff9bff9268896efa8bde01c650fd67f7a3d9bfd
SSDEEP

768:W7BlpppARFbhknrzzA8JQ2AdJCzA8JQ2AdJcQ:W7ZppApkxQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5350) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\LICENSE.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sqlpdw.xsl.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe

C:\Users\Admin\AppData\Local\Temp\b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe
"C:\Users\Admin\AppData\Local\Temp\b364fc96ed609565968be2eba2935e5d43796f404d7631f7f8777abdf4f08bd8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
36KB

MD5
51fc38bd5c9bcf852afb560b433428c9

SHA1
98d2cdb8e484cccfb13626393be9e5fc4d06f59b

SHA256
597b8b9ce8bcba2a5faa014a7a0a28ac77de271611aead590bb14f76a8ee8984

SHA512
00a8f82f2090da87c5b14ac9c5fef62cfa8d3d9e6595dadb931f44337addcdf728bf8781be775aab9ac9fba6450173df89022cfee59ef9c52479d3e4324e7300

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
135KB

MD5
5cd4e98ea9368c2c3fcf980681fa8785

SHA1
0f2d76e611b8b713e6a5c5a37f197556a1e14cba

SHA256
91a14c0a2a38e4ee6b2c79602995671391a70c4a09bef150b13f8016509b2f7c

SHA512
b8872ed7076eb1f40423968e8cd5d27633b7eb1ffb3c1ccdae753b0fcd3448c96bf79a33c561d9014d7f1b308ae90360e84530e4ef27bdbf504cbd0eaa4f7dbe

Download Submit