8ca8b3a9119be52148a55fed79f8e6729926bb50449d7411d78fba83fe338e2c

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 01:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
Size

86KB
MD5

bd8f35fe43d8eb84829dd1ed0a7928b0
SHA1

67ff237a7e1da282a36b2c4a021ef204fb7c5d04
SHA256

8ca8b3a9119be52148a55fed79f8e6729926bb50449d7411d78fba83fe338e2c
SHA512

f0662bebda3094c112625bb1e11c17feeacf8cf3853dcdc7357112681276fcc102dc2af1a550dc6feac2fb4ba933163785700480f4f71af252bade65eab58c50
SSDEEP

1536:W7ZDpApYbWjIoPyPoLzV7c6Sh1Xtkkkkkkkkk545:6DWpm

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4367) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationUI.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.CoreLib.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\et.pak.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationProvider.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Extensions.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.tmp	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd8f35fe43d8eb84829dd1ed0a7928b0N.exe

C:\Users\Admin\AppData\Local\Temp\bd8f35fe43d8eb84829dd1ed0a7928b0N.exe
"C:\Users\Admin\AppData\Local\Temp\bd8f35fe43d8eb84829dd1ed0a7928b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
86KB

MD5
1dbfb44b5c04bcd67288e4782fb60912

SHA1
156b809ed83e86b3dcf08af595f7b3aba23d7e21

SHA256
2f034610f37f5385760184c98289801ade4cf02261b0261137f664e98a58d37f

SHA512
c68982bee3eb1fcb8134c4b5854760e1466ba781e2b208e3fa6d39daa2ac322e7fae5e03e9c7ce200fe12ae830b326780472397bf9bfcb22e0cf7c18d02bc665

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
185KB

MD5
1e2d5f9aeef3be673286b3a103808782

SHA1
6389c71b439c15545c635b662f38e9e272b30d31

SHA256
86c21f16d2fa847fd496baa69212d29ca6965145e8aeac816a6e4d229858aeef

SHA512
9dd58ccbd83ef7e5e8eea330cd4a8370ad51085a26d2a82eff1ee3ceff1b76eb77e77f58b3cfaa3c10463d410669cc0561da28f061581a6d7ffc933bd71f1959

Download Submit