d5f16319f623f50db76410eb172255283e33317f6edac96f4c53f8b7f309c3f2

Analysis

max time kernel
120s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
Size

90KB
MD5

b7e0cba5f33426d7a4e4bcec99f5a2c0
SHA1

cb78196b7404d5d7112711bd1357223c60fb2c37
SHA256

d5f16319f623f50db76410eb172255283e33317f6edac96f4c53f8b7f309c3f2
SHA512

4f1c30bd737beeea1d619225140f93d74d7948bc9ade135cee414afce5ad70a31a585ab7a77b8008285cd23b0a9c5969ab07157567de1d42b1ef1fd0f1d7abee
SSDEEP

768:W7BlphA7dASbS7EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKe1:W7ZhA7dAvGpG8nbTWJGpG8nw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4359) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.CodeDom.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Xaml.resources.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe

C:\Users\Admin\AppData\Local\Temp\b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe
"C:\Users\Admin\AppData\Local\Temp\b7e0cba5f33426d7a4e4bcec99f5a2c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
90KB

MD5
c06889beb4b9c50c8eb5b353167cdfcf

SHA1
069ceea924b8130168a5d5dff4efb99ce5587e6f

SHA256
9a02dded7446da90030c27831c3af9bd0a588a208c298ea08dde43a8c143488e

SHA512
bafd9b964b8c718194a57cb547f066b406e55423d6cb0907c9feca885044e6f8a15cfef18bf1ce7b0c55378008af2edb162d69c7a119c5c6872565dd6cfb7924

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
189KB

MD5
c5da8750e1511c7d12ad1091f903970e

SHA1
508ce9bc69b3623ff2ab1e5061ec855b8236e092

SHA256
633331e0e45348ced467932d802a76c43808d568704c753dd2bed1c7a61a4335

SHA512
eb4778378b76267a0f950fbed829c1fe55e1c81de4b084145758e5fe7c1010cd0c00689b7f6d09f90691f5b341ae98f9d15d1974d463528f17b22cb1068314c8

Download Submit