8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 23:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
Size

99KB
MD5

e33d1dd5df1a272a0751b326383dc5c4
SHA1

328dc6719019ef9c86271cf5ab63414a240f7c20
SHA256

8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09
SHA512

59d67aae3c91659ded4856b67049cd56e4c1624413e8f9381a120b2dd8758c13e96fa4541e278e037a5252c033a53a424cfedbcf365f980c43e9faff56bb5801
SSDEEP

1536:W7ZDpApYbWjIlE77ufL2e+efZwZQ/8S/8z3MLffxRfxJCZ:6DWpwE7oL2e+efZwZ08i8z3MLff7f7CZ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5014) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Presentation.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-namedpipe-l1-1-0.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe

C:\Users\Admin\AppData\Local\Temp\8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe
"C:\Users\Admin\AppData\Local\Temp\8ba7e437a5e4a32044017d18bb23fe847950d977272a1a64815d80646a0dcb09.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
100KB

MD5
89d566aab7803ed0bf6f46f77d352e53

SHA1
e7456bc5663718c96112d0cd0c4bc64833a890ab

SHA256
13c08df2949a49d1ce4c37541bf4aa58e1ab2db03535f7fb51fa7e0087af0c6b

SHA512
15f2fca6800839c2d53f317deab1cb7a0b00379097001307dcef29833299d34a8723f6523bc3c784a34c27ab648b4ce47e48b8b1099b1c52f964ea1a8b7ccef0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
198KB

MD5
059bb11b6acb23fb47a78d9efd54c06a

SHA1
02a70593f45dcd4567e233d66de6d36a284e11ab

SHA256
8f762c1075e41afbc20844c8bbb69ead09d0e5e8b96e5a948fd876b5d690be2d

SHA512
5f465d2a79521cf84780de0f61162f9ac64c4c4a3ffa6a0a871f0c1770652ca6e28446c9e3b04c13d1f3df544037064681594b275c2f5e6daa54d1760afcaef7

Download Submit