bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
Size

38KB
MD5

61003f9aba6a4bc8753e269a1f698e66
SHA1

4ad0d83a558719b6fdc10d1d19d2abb1d1b26e7e
SHA256

bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8
SHA512

deffe1b1f2b7c54f772a5b13219d678d3bcd8771747923bfafe6147d394ebadf021e5f7ba338ca0f8aaef55430d0f14665cf794d06184167e733f874ecb1c5a6
SSDEEP

768:W7Blp2sspARFbhIJOE7Pf2hw7F1JOE7Pf2hw7F7:W7Z2sspApIE2n8MnE2n8Mp

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3758) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jre7\lib\ext\localedata.jar.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\FindUnlock.au.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Barbados.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\TableTextService.dll.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jre7\bin\verify.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmono_plugin.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\mip.exe.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\it-IT\Sidebar.exe.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe

C:\Users\Admin\AppData\Local\Temp\bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
"C:\Users\Admin\AppData\Local\Temp\bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp

Filesize
38KB

MD5
4e2c1a4e798aef1c22376e95809f560a

SHA1
200b55286ad2c3f1ddaf78e081f4b61839a6ea43

SHA256
e87c2ade37320b86de6ef2d1481ad68fc88e755d143349002a2be78d5f300356

SHA512
7ace5d87a787835df1746bdc19fa5c8350e3fdebe76af081da1c67a53d8cfc921497bb25c21408a51560fd7b3612c0beff5d373a5997bae2e7cfbbd8e3c7e12f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
47KB

MD5
e565c201ae94efff50d6f6f24c62355e

SHA1
5ecaa8a22f969619c755d289ddff13d87881ec3c

SHA256
3f24fc8b5dc86f5e2605f28a28f2ccbe87969f3048997d6d6099623a64fb426f

SHA512
9c10435f7f3122270d092fc5195d67666d83adc20e6880320f1afe6f00bd12569f46ccdfbe68f30a840c158c78687a9203f90406fb962dacd597aa680d776864

Download Submit