b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 01:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
Size

103KB
MD5

3c37fa0a09d5c3aba87a6b7ae35b4200
SHA1

8c6af0ba1fc347325afa73fb74485f3ea57dea67
SHA256

b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812
SHA512

f3bb405cd1b3bcd58d0974794f043a097ee274a9d84676ea72090d5b7933cc1d8c2d7883d770542e75728989153bf3063644db1a5cb2d79bddfa47265da4fa60
SSDEEP

3072:6e7WpMaxeb0CYJ97lEYNR73e+eKZ0VXaSD8:RqKvb0CYJ973e+eKZ0VA

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4858) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Design.resources.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\deploy.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jre-1.8\bin\instrument.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Input.Manipulations.resources.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe

C:\Users\Admin\AppData\Local\Temp\b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe
"C:\Users\Admin\AppData\Local\Temp\b010c49025760a8f9b04f2159b261b958c37dc71f4ec72926f1a0d3211ebf812.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
104KB

MD5
4566df10f3bc5a65a6b1f87172f4b607

SHA1
b452bea7ba64791453852a7983e66322636ea6ce

SHA256
6468995f2d9a2802887d8a1bdd739024d37ae6692910ea0cf2fb827fa9f960c6

SHA512
697811ab4c7d470b75806217a9c376e8708b5536a0929eba0c5c96c01e67385c5454ba19ab174be8d174e1b0d810f19c69affa9df1cdfd045a678e0dadb112fb

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
202KB

MD5
9d3ff6beb6fe3a1330c16d7650c60d61

SHA1
7f01f42b62a550ca6428d9c4cd3dbff81866362d

SHA256
56fab9c75aa7905b38945feb0fa99ad0bd81fef4a935b9f7e6a1ea37e4204371

SHA512
37faf169975628b006b812c40185831d1351c20c00f99dda4af154b1ad2218d82279e24f84404ec2482f57be3e09479b51a9265d7af486f9a3b755c2cde9e9d8

Download Submit