b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfa

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
Size

43KB
MD5

01aa80959ecbd8a643f1b91f3fdc6980
SHA1

5a23f0e5c20684dab374a2ecd02a8a6da44b9f9b
SHA256

b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfa
SHA512

a7faab22888c67180459287ae71e64d7267725162ed3ec7a3372077fc9cc823c86860de67f76aecdd388db8e022a99df13c00d38d8c94a0cac4e688365648a30
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFjqAJLOqAJLJJ5UJ5aM2M4:W7ZppApBULcfpHLcfpyDaJ5UJ5M

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4681) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jre-1.8\COPYRIGHT.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Forms.Primitives.resources.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ppd.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jdk-1.8\bin\vcruntime140_1.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\msipc.dll.mui.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe

C:\Users\Admin\AppData\Local\Temp\b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe
"C:\Users\Admin\AppData\Local\Temp\b7e9837244828cadcc00baf1ed5926e4be36828750d01156e1fa10f1feceebfaN.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.tmp

Filesize
43KB

MD5
3ba2679f02ba0abbd7ef3e2d802c31a2

SHA1
e0746d852e7e1756070913a7a0e35fe4d5241f3a

SHA256
eb19de9f24850e905dbe245d9c6b84a5f1fdcea319f206867b313136a00b25be

SHA512
429a76a5bf881facc75ad79ce31e0e96721c6a98163127ab19c017e97e997cd9f0d959f6fa4376fa448e4e43574f4eec993861f80ac91de62b8382149c861945

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
142KB

MD5
d915ed010e6b713798b0cfcb24ca81ab

SHA1
b840a2ff110b9272c8689a19c1551eaeabeaf142

SHA256
4a09396395500e6748af4bcd13b3bd76a110d92bd88bd7e4efebe4e20e3ad322

SHA512
8a61105fc3dc7c4465a23eeb0959b61b857a5b74d2af371ade7ddc401d34bb4d837f9c8713c2b9e1c79cf853cd0d74ddb365a4883c6f8f77bb61d6dada3a4971

Download Submit