bcacf5207b4952dc07dd7b71e2af2457c5b1f9b9fc4fc177a452c2a2c8e7bdf6

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2befe792ad7cee6665fbbe54dad78210N.exe
Size

115KB
MD5

2befe792ad7cee6665fbbe54dad78210
SHA1

3938089efaaf72fe12ccc68005843f6b3f525b65
SHA256

bcacf5207b4952dc07dd7b71e2af2457c5b1f9b9fc4fc177a452c2a2c8e7bdf6
SHA512

6a058578a043e227be42f6a2bc57f94e021919e86feef4d9d35bd717c202b0f293128a57717310f75719aa0334ea634fda216204d5ab29d2130d78e4e0b2948c
SSDEEP

1536:W7ZhA7dABJJB7LD2I2IHsLMcPnjsPQx9iMb6:6e76BtD33Hs/QPQmMb6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4367) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\te.pak.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Design.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\Logo.png.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationCore.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp	2befe792ad7cee6665fbbe54dad78210N.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	2befe792ad7cee6665fbbe54dad78210N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2befe792ad7cee6665fbbe54dad78210N.exe

C:\Users\Admin\AppData\Local\Temp\2befe792ad7cee6665fbbe54dad78210N.exe
"C:\Users\Admin\AppData\Local\Temp\2befe792ad7cee6665fbbe54dad78210N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.tmp

Filesize
116KB

MD5
08806adc7dcc3e8161fe300c728b0c46

SHA1
0b67c6e776560ad24a10812f233606f2a9d78dc4

SHA256
7e80451d07a7c04af2577a1716a1e8dfe20d9995e944759d045439a7a2c087d4

SHA512
9751f7e37e6603878ffb21bc986eaf8d251e75a044a06021f4da4033bae6f84e6c42ff8dcf13ba80b052242a8f84ea2516fb03a73f4fd8957e2d1fdf08b3f794

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
214KB

MD5
fa86d96bba591ffd8c418dd9a3da03f3

SHA1
f1eaf446766d170ee0c2743732d4f7665817a141

SHA256
3cc4cdf2547ffddba951aa982f8421ebb3ee763e548d0e89730c9e1925f1aebd

SHA512
f7452fd11ba11ee71bbe50fe7f9c64d3cc85cf7c2992232f64f90684995e589bdf12e16c10a16f6868e73aef02f78c41cc3a264b1b3b01144d6d542c00ae1a19

Download Submit