bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
Size

38KB
MD5

61003f9aba6a4bc8753e269a1f698e66
SHA1

4ad0d83a558719b6fdc10d1d19d2abb1d1b26e7e
SHA256

bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8
SHA512

deffe1b1f2b7c54f772a5b13219d678d3bcd8771747923bfafe6147d394ebadf021e5f7ba338ca0f8aaef55430d0f14665cf794d06184167e733f874ecb1c5a6
SSDEEP

768:W7Blp2sspARFbhIJOE7Pf2hw7F1JOE7Pf2hw7F7:W7Z2sspApIE2n8MnE2n8Mp

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5192) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXml.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Memory.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Input.Manipulations.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClient.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-phn.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialResume.dotx.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\instrument.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FRSCRIPT.TTF.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\manifest.json.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe

C:\Users\Admin\AppData\Local\Temp\bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe
"C:\Users\Admin\AppData\Local\Temp\bfedd6f6a81bf168279be58e4e6ecc2bad1d061311a5b27ecca320bc31d31ac8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
38KB

MD5
fdd158cdba41e0146d94f2aadee446e4

SHA1
3e91e40f34a69061529130cc1ec7133f6750d1c8

SHA256
e4fca222b2aa3eab81051a544e0d0f174a621e40880f28f029dfaf87a28107af

SHA512
d50dc1d4dfe74a99820fe5a4db0c62a52462ed31353c358cf863afc1efe54ee48d0b6d3b67dd971c3110e35187e24c303839a243fc71fa762eca7be995104347

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
137KB

MD5
0fad383643646f82dfca52fbeb1399db

SHA1
c0667120dc16e755e8c534b30ef78efa03e26f60

SHA256
2bbb1a11d4816cc2afbe379b54f164751aa2c65905cb10525596747df15c70f3

SHA512
1e8d87597b8880a8a5f95a9625026dbdebe5ef4c0b178f7cfec811b70c0a27f223923138fa212741422d83358249a9d24669747741223a23a3bba5454473478e

Download Submit