bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 01:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
Size

61KB
MD5

a2c84a1175b5c9d537dc56da3dabd89f
SHA1

90f1069cf355bc07baf283ffee7ce906b4dda228
SHA256

bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c
SHA512

e2d24311ee0da524f0ef465753ff114bce69b25370cc599b267ab492cf7ea287c25b0ccbd0e1e438fce38392aab8c9515b79eab8f4283de3dac691f0717b3421
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpVF/MF/3Nw/Nwk0cEMdV8IEMdV85/K1MnT:W7ZppApBULcfpHLcfpX2/Nw/Nwmxu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-oob.xrm-ms.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.AccessControl.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\ExportClose.rtf.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Java\jdk-1.8\lib\orb.idl.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoutilstat.etw.man.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ml.pak.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.DriveInfo.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\JUICE___.TTF.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-PT.pak.tmp	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe

C:\Users\Admin\AppData\Local\Temp\bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe
"C:\Users\Admin\AppData\Local\Temp\bb2fd4e99be5dd07c919dbda997cf445701935538d21d39334a56dc4cbe86a9c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
61KB

MD5
82c1b12e194ab807e9fea2d47eee0f0d

SHA1
d7e007700fb553795d5d95834cc1c0241305d37b

SHA256
fa941fba25f3b5478ac54c178b1e13c00a85528649e39a1885c886e14a762938

SHA512
3f6b6b9cc9f0a661438a6502e5431f60372025213bac514d00fcde5c049f005cf612d1661088a07ee541152d98d78ac500601bbe3c6e45e2a7512194d214ccd7

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
160KB

MD5
939ab73c9b227ae08a61521e4179aed9

SHA1
1f8b78861a1cac668f6adc0bbc05003a9a14b80b

SHA256
e84dba82d3dccc805d603089a9118385bf4304e7137024d9e0579778dfdad5bc

SHA512
5ad7a5dc536c2148964ec26de8a479c67caf415c7022a5d9dce8011ba77d4e10eef0d382766f7d0cc1d2344c4554f6382609c3500c30125446903d0f7fec69ee

Download Submit