bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
Size

57KB
MD5

b594d50242080d1a4f5bc7034c44c990
SHA1

9427694237ba335d42bee79da670df71233858ae
SHA256

bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86
SHA512

5624081bcc54dd80b0b12228ec03dbea3965baf4d161da9d1c5fa7ff9ce96a93ed1d7b98aa17ccb98ca86b5091c82b1750c38126c51d6e1d1fa65c60b6622460
SSDEEP

1536:W7ZrpApojswv0EhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFs7:6rWpcsHEhLfyBtPf50FWkFpPDze/qFst

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4645) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorrc.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.cpl.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Debug.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mce.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClientSideProviders.resources.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\he.pak.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationUI.dll.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe

C:\Users\Admin\AppData\Local\Temp\bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe
"C:\Users\Admin\AppData\Local\Temp\bfaed61ce37f28973c57d044e81efd85cd9eca8a39e281e01cf18caaf7b6af86N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1194130065-3471212556-1656947724-1000\desktop.ini.tmp

Filesize
57KB

MD5
2ec8e8ea6d0120ba905d3d764ad15276

SHA1
5ef1eb1b6c1bed079724adaffa29fd300e6ab5bf

SHA256
c3b7ff55e8b50866447a4a9b23510e4fb2dda96ff2d7c20d0b1b5dd5032cd7a1

SHA512
8f59f89b2420cc00e701cfc277384d72bc78c136919ddd2ce49a7faa3f76d9e411819fcc1308c9ebe5cf7d643d8ebf704b6a29136e8ed927763130dde545d721

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
156KB

MD5
17c756e81524f7e4dfda10c60ae32f21

SHA1
aa868f2b55862a07259cbc14d6b807467efe6745

SHA256
82a17210c2fa9431580bf77a8f834c7a8aefa921323c8741bba98b31f57127fb

SHA512
2955bd498c243bf9fb09a71afc4bb028b8b7f15238b299c93177a32f990ab452537b4cb7df643915115685dfd44498340e0ab9242f74cf7c904621dc0418e671

Download Submit