ed297e116810cd2889708ebe4b1586c40b0a102dd64c09e837696037c77f27cd

Analysis

max time kernel
120s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba2e2b01f13162f3a2919eaad94e0480N.exe
Size

46KB
MD5

ba2e2b01f13162f3a2919eaad94e0480
SHA1

c3d8273d7deaa6c2270b8e3e396267539e63cad6
SHA256

ed297e116810cd2889708ebe4b1586c40b0a102dd64c09e837696037c77f27cd
SHA512

882fbc51e2ca8c80aafceb3ce9c033dc28f71a03937afc8cd03b8da4049878644f9e61a06022d77f67e7aa7f5008898add03de10aa56c27c23c238af58a948f3
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/Fzzwz72Jwuq2JwuR0U0IT28yXr0928yXr01:/7BlpQpARFbhNIiJwsJwwnZTxy7Mxy7+

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4656) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoBeta.png.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lt.pak.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Metadata.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.deps.json.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Primitives.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp	ba2e2b01f13162f3a2919eaad94e0480N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba2e2b01f13162f3a2919eaad94e0480N.exe

C:\Users\Admin\AppData\Local\Temp\ba2e2b01f13162f3a2919eaad94e0480N.exe
"C:\Users\Admin\AppData\Local\Temp\ba2e2b01f13162f3a2919eaad94e0480N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini.tmp

Filesize
46KB

MD5
6d83986caabebd910f1044fc8e6fa595

SHA1
874c50ec831cb0d3f5221d65e526432e33bdc528

SHA256
35390f1b8ef9edd4cccbe453aff216c72a373ec10aacbdae6159525537df9bfd

SHA512
e61776ab20b04580b406f51f0d6b26a49364830431c05d542d8a26dd277c9a6d6902d5acf36472c0d12f8f622a83bb64c3361fedbcf01a4a7b9c07f7f858ea98

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
145KB

MD5
8221b0314519cc2d21aa30e5a5a81f78

SHA1
648892871dee9c55f354209ea7c22c39479032b1

SHA256
bc901c96a98a0b9f81eac44b2b68d5f3995216b2372c46fa966b9b533aae883c

SHA512
6d2b2907d72a49d6ab80f0aee8d897cdf35cc6262c495fbb8e75c99ccf81acfe2a2ffa1563e5625e65143da876e17ddd9f4458cd7a6b01576b64f62406fc6211

Download Submit
memory/4572-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4572-904-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download