ed6b488515c0c27c4cf2a255c038754ee058ff912c0d5112c71ee12b88661ed3

Analysis

max time kernel
119s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba3c16561b9c967b4f44380dfd8795a0N.exe
Size

39KB
MD5

ba3c16561b9c967b4f44380dfd8795a0
SHA1

dcf9ef12fbb388543ae09fc2259eea64f878c1d3
SHA256

ed6b488515c0c27c4cf2a255c038754ee058ff912c0d5112c71ee12b88661ed3
SHA512

6f7a52ade6b72e0352eec651f60ed141a18fb55f54a76df9c7dc4eaaa2b6e65b1f832b7b51aea567c13972a93fb650f4800a081aa4aadb0882f139589f2b5e76
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5lsSn:W7ZhA7pApM21LOA1LOl6vSn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hr.pak.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Configuration.ConfigurationManager.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsFormsIntegration.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	ba3c16561b9c967b4f44380dfd8795a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba3c16561b9c967b4f44380dfd8795a0N.exe

C:\Users\Admin\AppData\Local\Temp\ba3c16561b9c967b4f44380dfd8795a0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba3c16561b9c967b4f44380dfd8795a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
40KB

MD5
5f7fa94a3cccb0ee90b3d96408a4f768

SHA1
e09ed115b003107ed1147c9891dd2a1ae4ec16ad

SHA256
38c775808cda5f8d0f47333a3c58e8cc31010b0cce67fd6a1b7e495bf72bec46

SHA512
5884a60c284e3df6304e8538d79988fcd7025c458bba3b9866db579943791e68246c78c5f2023eeba5551dd89b64e9484dd62841d80e9ed60e08df87f8c18335

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
138KB

MD5
c1e6120e1e4ea3bbe5c7db6b2e36154d

SHA1
ee202e9a4108e734624ea4b64245aa6b39e2db17

SHA256
e4774d27e52dc094d2611fea655b806ffa436dead807a20d50a5c806a7598a37

SHA512
c2c7017b2742c26836698adfc27c96d176da55d1843760fe91a1cbe1328fdeda4a1a42ae606af7d7697cb689299130824d710fa6598fda7c61895928af249ee4

Download Submit