ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 02:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
Size

100KB
MD5

75bc62c313bf78405827458d3ac4a3e6
SHA1

b9548e83a1058f8057ff22be322a31422cbba135
SHA256

ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940
SHA512

120ce7d6fe5d0a1ec65264d36a50c7880db61806e8f073e19d81eb79500b1417c4408b3e71f30466fc0ba724840cb38f3364df9a84aefe694e5a408b41d60667
SSDEEP

3072:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFslEhLfyBk:PqFF2Ie+efsLwcC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5014) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-pl.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Resources.Extensions.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Primitives.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jre-1.8\lib\hijrah-config-umalqura.properties.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\ConvertToPublish.xsl.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ReachFramework.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.NonGeneric.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ucrtbase.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\hostpolicy.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe

C:\Users\Admin\AppData\Local\Temp\ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe
"C:\Users\Admin\AppData\Local\Temp\ba4b4cf402d829b76d9508dea7f00c6463d4e465ef1f82d8274387f3ce067940.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

Filesize
100KB

MD5
a08d7812abd4cf3af6d866e9dcf2c217

SHA1
ff434090de27838ece779e682ebeaff157779ded

SHA256
3182da85b2ce8b6c4677df76dcc85d564ac7cf8193d635bfeae7d9506cef3918

SHA512
45f0c8f8a3d9c0b2951a377cc1edef1e48378690d5c47ca74293c6f315d95303f79c7e76b01a9b1e125a68f5d2322712c5968f879df7f8db6945ff57b543e848

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
199KB

MD5
609e6483e146acc69a89587364d8d7e4

SHA1
18cdf26423832f34bcf2fd7bc05345784c6deda3

SHA256
2ea4c1dcc8bc8fbef1ee3a64003813778d5149e558b96c91b024bb3f77437387

SHA512
edd7c5ac9da518401599251c9a13add9d81cb7f2a5e38d26e842734ec16df6febb7a7217f57a2889467dfe716ac3018b3963e034453817d28c172c35d3bf6a1a

Download Submit