fae9747fba139d913505b1faa98bc04da6ab57ff4e47718aafa506ff00b1370b

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b95cd34e71920a0735d100eec88a5eb0N.exe
Size

81KB
MD5

b95cd34e71920a0735d100eec88a5eb0
SHA1

db4745747a481e4130683b3134d6b05aa4900fb1
SHA256

fae9747fba139d913505b1faa98bc04da6ab57ff4e47718aafa506ff00b1370b
SHA512

f6db80e24387b0f8d3e6168cd0e2312dd03e9ec6ddc3140049d3cb57653d500bd55bdea2ae79378537cf3dde01d3bf40348a020b937d9443d245c8c58ca1da26
SSDEEP

768:W7BlpDpARFbhYQkQjjLaMaRRpi1xnRpi1xOYJIJDYJIJMFhWFhCmDpBIjsZORReH:W7ZDpApYbWj2WTWJe+e/qXhgb

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4641) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsFormsIntegration.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationCore.resources.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clretwrc.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.AppContext.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Dynamic.Runtime.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\meta-index.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\hi.pak.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ppd.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.dll.tmp	b95cd34e71920a0735d100eec88a5eb0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b95cd34e71920a0735d100eec88a5eb0N.exe

C:\Users\Admin\AppData\Local\Temp\b95cd34e71920a0735d100eec88a5eb0N.exe
"C:\Users\Admin\AppData\Local\Temp\b95cd34e71920a0735d100eec88a5eb0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
82KB

MD5
2eda51066bc0edeccc8114325555a480

SHA1
74cda1fe0a953cdbf35fcfd0dffb61ade735688c

SHA256
025a463dd24ed9e2a15adf5401dc322686384c83f4dea2b002ee29c4933ea33a

SHA512
1915467db26508c562a0a21b7d466608806b830a7c0316b3fa6f51e4e3dad0e8842ae695c6c8ebbe59b8fb8342586e852530631d61332677a3771cff0862c60e

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
181KB

MD5
0d38f749f8e469bbd22383915c5d7432

SHA1
2fcfa088bf67a44f2f452a4b55d14c3cc1f23801

SHA256
4fa7f2af3b18fb6d28df710d368012c280df9d59592c5b0ae4b566dc17893904

SHA512
4550d22de9ff48d1d26bd44ba7a9f752bc8dc2c5190b549f52568246fae86592920235c5516b30aca5051fd61bf41aebdf3b78b7c292c70c5f3956f6e33360c5

Download Submit