bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674

Analysis

max time kernel
120s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
Size

55KB
MD5

30bbbf8b6d40e5d27b8a6a7ade9d4080
SHA1

33cc563e7b8148f0b9f54862fba074faa870ef2b
SHA256

bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674
SHA512

52469274da69957d2ad58c22323a42d64d74c6ad9ff39e94176d561cb20bfeabc64e794827ec452dd10a485f207aa8b4587b7ab3218a4fb69e37edff15b5916f
SSDEEP

768:W7BlphA7dASbSjJJcbQbf1Oti1JGBQOOiQJhATBWvyBh85c5Hjrl7lcl7lM:W7ZhA7dABJJZENTBWv36BlilC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4615) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Controls.Ribbon.resources.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-locale-l1-1-0.dll.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe

C:\Users\Admin\AppData\Local\Temp\bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe
"C:\Users\Admin\AppData\Local\Temp\bc9967a451e60605cc7bc2c2857343d2e5fa5637ba0038a8b7f5bb7272101674N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629364133-3182087385-364449604-1000\desktop.ini.tmp

Filesize
56KB

MD5
3246de210e944459871d3d90e1c68e9b

SHA1
3adbf0d0c7a49d2b6cc3db3fe3f6e9a4f749846a

SHA256
b5a4674c10a1c92806fd95430d56afb237812afc0f0458e53b5ddabe07ea4303

SHA512
971aa2c60fdc13c18c607879e3420828e896f9ddf10373890034de3ba455ee2ed95225c5d0fe962ac1885b47ad3c58b4379be26713157a906150551ed0411f72

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
154KB

MD5
21a603080b87dc7ce2a60cff3f573db9

SHA1
7d4acb900dd1841dcdf36ba25a9371f3ab778497

SHA256
7363c955f00eb56f7369dead47c6b59fa3a7a306355ac9caa04f98df69bea93c

SHA512
56e1773e52b239026d8e27b55572f96c9d221a96ef55da35aebedeb4708c0be052657402d4e6cadb3e7bcf2d922b7230ff00ea26ec62ee623157b4e4bbf8ffad

Download Submit