821166701b16c3bf033d4d8bd073a41e3d37988564d6988c44df2c8117ba8fb1

Analysis

max time kernel
120s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
Size

45KB
MD5

b2ae9c0fcc6f3483f54c6683d2cc7250
SHA1

76c36d12f23adeb5e2231cc62d6cdcff5ece2039
SHA256

821166701b16c3bf033d4d8bd073a41e3d37988564d6988c44df2c8117ba8fb1
SHA512

5c34687abbb9fad431ea3f376014faae1e234f74a60e0b7426cb226e29c1ed25223296d6a3db686912d12928c33411b2f215ea6efe96c42acd2b17a7b11ce046
SSDEEP

384:yBs7Br5xjL8AgA71FbhvBfepj3cfepj3KtLJilqGelqG4K66CPK66C6:/7BlpQpARFbhq1KtGFGxNCSNC6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4661) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mip_core.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jre-1.8\lib\net.properties.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\dotnet.exe.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.resources.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationTypes.resources.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEV.DLL.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf.tmp	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2ae9c0fcc6f3483f54c6683d2cc7250N.exe

C:\Users\Admin\AppData\Local\Temp\b2ae9c0fcc6f3483f54c6683d2cc7250N.exe
"C:\Users\Admin\AppData\Local\Temp\b2ae9c0fcc6f3483f54c6683d2cc7250N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
45KB

MD5
4e77822de7fc35932fe0f8783ae7e44f

SHA1
a62505fa4b751598d8f192bdb1ac3d3e0c67b66b

SHA256
aeb82a818dc8527b5a8d31ef89d049913bcfdb0ac53abd294501a31799cea0cb

SHA512
52460f0441ff317a4c03b7c8f515708f8fbc1915b5e6b2074a1594087674fd2f6d69cfd4e5e77ae844a72a880e063555e41af1d19412268a039cfe4a1698b5fd

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
144KB

MD5
1c4a32111dfd70b91677b8b23ecfbabb

SHA1
8427592d5117dde960979aaa85aa98e51774eafe

SHA256
b5a86e2fc26dd18df8c19be7423b435240ca7f0d633a128c24a19418fdd22ac6

SHA512
e25570f2b9dafc2c856564bee7412d3c2d840089b4f7d9771a56944d877a27b1691aa9075c3079328e954fa57b77f01f5079696dc975e4571988763a5ef9cc93

Download Submit
memory/4020-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4020-1000-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download