b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
Size

52KB
MD5

489403592fc3ab97f17ca0c03a7e728f
SHA1

2b650aafc5dc09787e4a451c1f14a6815704c7dc
SHA256

b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59
SHA512

33c47ac30e2a3fb74f974f979a8fd25ff83c6f52c87b3440e0ff3af22147f294fe4f95b603871c476c0ddcf1946704a46ce926ec3bc240dd974d445c6796053e
SSDEEP

768:W7Blp+pARFbhBgnKLMWK9WKD2N2QppjzjC:W7Z+pAp2nKLRKIKqoO32

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.Common.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Design.resources.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\FormatTest.mp4.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sl.pak.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\bin\xjc.exe.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.tmp	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe

C:\Users\Admin\AppData\Local\Temp\b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe
"C:\Users\Admin\AppData\Local\Temp\b4c4a7c4e7e0ba729626186329c2f0aecbdb9fe2b466c98ca405d32f38c7dd59.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
52KB

MD5
cb262bb9c19d76bb046df96143d6a68c

SHA1
589621fe9603d3c84a72054f4cc0b5b464771d11

SHA256
a159975f42c9f9c772e7f78c2fcb1e56ca257747b412d34100b286a0c851987d

SHA512
4614602665062a7be18c5014a4b34ebe97f9952da77efdc890d5b7a2470e9ccda5d45713e1f728c7067e279e3757e46067aa0e71db1154e44b8e138a2caa84ef

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
151KB

MD5
0b1fb7f3d49eb23fd7447adc4f6c025e

SHA1
82fb14007ea4a4aaa96e00a3988e65c2b704e79a

SHA256
c1e1084924cdc5dcb69df03d5ee8a7ca822db2793d553ac7fbfcc889947a6571

SHA512
00e8bea4b5af1539deb5e1a44ce396d130d7ca4b3738d897193c72056dec5dae0aaa379443f0ea73b2ce366108b299f46e7f41d44f5ab112ecf23df706b9c833

Download Submit