84f6bc7843a115f460ca7f0f8079722662a9d6419693931358668aa9bd7ea2bc

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bed47c33d5bab5f627a71760a0175330N.exe
Size

44KB
MD5

bed47c33d5bab5f627a71760a0175330
SHA1

6d895e873815fb33caaa8660289c6f7b42e8143c
SHA256

84f6bc7843a115f460ca7f0f8079722662a9d6419693931358668aa9bd7ea2bc
SHA512

e409dde2fdd35cb93a3ae758d6bc4b3949e81d39623bc7b8bd532f57a996d47713283a03b8d3bf0f25d8be2a41bbd7f45ef25143cee8458787a17def46ac1b3c
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LO+jybCPi1x+jybCPi1xL:W7ZhA7pApM21LOA1LO+BaqBaP

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4648) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\Microsoft.VisualBasic.Forms.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.DirectoryServices.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationTypes.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.TypeExtensions.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp	bed47c33d5bab5f627a71760a0175330N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.tmp	bed47c33d5bab5f627a71760a0175330N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bed47c33d5bab5f627a71760a0175330N.exe

C:\Users\Admin\AppData\Local\Temp\bed47c33d5bab5f627a71760a0175330N.exe
"C:\Users\Admin\AppData\Local\Temp\bed47c33d5bab5f627a71760a0175330N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
44KB

MD5
b06c8a6abb071f3b8af955e9c68aa1a6

SHA1
bcf7409fd24809b93dd3f593bcccf77d20112351

SHA256
a74cf6f2c9e88794554d40bdf4acf3435fe8c73cdefa6ee261f5169d1d1954c4

SHA512
9c45e4b303de3d7beace73c50bad422a6485906598760c7f7af311738b02feabd227cf6c11300ad7dd051be59a25cb86e7b42764fcef1cbed02155bfa7725dc0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
54dd650b1ce7af55f73837b07da5b739

SHA1
23b8006fec0087c685740040aea3ce967f82be38

SHA256
d40895fc7f290aa4780787e32cb4a744089dc2874dbdee12eda267b4f28a53b8

SHA512
009193a630a4e1b98ac3dc8163bffa62a2f8843b048b237c8b3ed7a5d597e5f233d7284483e702a1e4b18aa0e37fa2f1e511078711bb9c9ed6b104862fe42fb1

Download Submit