bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
Size

93KB
MD5

c1b89eea3684fcfe040c9be9d0c16eaf
SHA1

a8a91808ca8acd485326ca03d0caf9357c6ac098
SHA256

bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0
SHA512

cf44e168bd803f793bb60d984f2cbc177a00564d8872e0f8dac0b423d8f41b18958d23158e269db4509b2ede86d1462482e518821c4f3fac0ddffdec8d93b10e
SSDEEP

1536:W7ZDpApYbWjIoPyPoLzV7c6ShZQ4PN54PNPw:6DWp4Wy

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5067) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\Tec.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officestoragehost.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Asn1.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl64.dlla.manifest.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Design.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\ReachFramework.resources.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe

C:\Users\Admin\AppData\Local\Temp\bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe
"C:\Users\Admin\AppData\Local\Temp\bd5858856ae20a93a6d25277a7b987afde7f24f744a649489175171530db5be0.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
94KB

MD5
e8fae271cc65c9e1eed4ff482f10aaa8

SHA1
afc04ba74b37d137fd4c61e560b169f574b07536

SHA256
ed739820cc60d2c15319abf6cd233f9889e5d011863fd2ac0bb3bdb0d8696daf

SHA512
32b2b8bca93a0ce180396e9f8a9b576e6d7a5f9421a0d5db1ca8554a191ee0acc8e3b8ae3d7e868fdd44650e01a8f6f0e1d46303a8c48decc64b71a572cd45ce

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
193KB

MD5
242c225fb7da57c8a8e1fea99385bb5c

SHA1
0371689ead1e19a32a1105fbc12ee3c40dab9a6d

SHA256
b384390f7f6b4b837ee05778ac90ef2f6be4cc410272f5ad98e6cacf1a34f289

SHA512
62c470b9fa248260f400b8a4ff0ad50639367c5b10069848307d352dcba9763d3d93129ea94ada8eef5791ab348da47bd9a9258e9ce35752bbc43e34fde766b1

Download Submit