be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
Size

94KB
MD5

fdd889ca28313b525ef5593253cf9270
SHA1

f5dced140595bddfbc7c9f492038cda144cc8ef3
SHA256

be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354
SHA512

af8061fdaddaff4deeef20d7e5221b4bb163ed2e61f0def1b864c13e80ff7cef22c88eda541dc29d5981325583499239fa2c4742f039305334bab6e16899e21d
SSDEEP

1536:W7ZhA7pApH9QHwtRF9ESWu0SWujodsodaNovTW+SPL+cycWAF689iladwEbdwEV:6e7WpHIyRF9ESWu0SWujKsKRsP9fVL97

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4635) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jre-1.8\bin\glib-lite.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\Microsoft.VisualBasic.Forms.resources.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Printing.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bg.pak.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Forms.Design.Editors.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.Primitives.resources.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ReachFramework.resources.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Java\jre-1.8\lib\classlist.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe

C:\Users\Admin\AppData\Local\Temp\be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe
"C:\Users\Admin\AppData\Local\Temp\be446baf9921f26afee68b0a7ef47a204f7f4a2e9d9a8d85458b818b81fbf354N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini.tmp

Filesize
94KB

MD5
b668c1600f66272587c46b33dab19b73

SHA1
4efcb2c8b12fb03d511b83a86c2b7ae5bc04844a

SHA256
975818dc3ea43b4a680aac5800236903b40fd54bf22002738ce17b368d842f61

SHA512
0e818d9290dc9c79f03ed5425a6a2bdbbb882a4797bf5408bc3b675fd848de0e3d6816e40ce61bbd696fa2893080f171ec86ccce657f935d34c6f1c4c47ffb1a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
193KB

MD5
6d6cdf92fb4fa82e161203f652643f1f

SHA1
470cf39e164c274fa422918eb4102b7abd882234

SHA256
fdf3c01f00d62dbd14ae4c9151cf4274b847bd3daa0ec0ea1f23a81403b8c06b

SHA512
7c32c645a7ba8b909d754e804f9ead6c24632f3aa680abae122970e7a0dff6f46ba51e573a22ff221140003d7198222c735dab80f057efc627f13ad725570c0b

Download Submit