be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
Size

63KB
MD5

81aeaee52d3d2571749021d66ab950f0
SHA1

c167c33ee34fa82d050fdee884c949c7a98a1909
SHA256

be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026
SHA512

47281f882ba3ae08fc1f3e4b3bd230c5c3e54f4d6b2b710886631113074978c3cd2d1258f95ec422bbba4bc0bc9b1d007ed36bda2c1a68489014959eab9b6b17
SSDEEP

768:W7BlphA7dASbS7EXBwzEXBw3sgQw58eGkz2rcuesgQw58eGkz2rcu90TKe+0TKeW:W7ZhA7dAynMdyGdy7YRY4DgDP

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4642) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\en-GB.pak.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Google\Chrome\Application\initial_preferences.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Sockets.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Primitives.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Design.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Primitives.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ppd.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ppd.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe

C:\Users\Admin\AppData\Local\Temp\be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe
"C:\Users\Admin\AppData\Local\Temp\be5131dd850536369115c3534ae386d6bb46ec161fa536b64bf256cb65f56026N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

Filesize
63KB

MD5
25700f814e5211ac09da64a1f45f7ae0

SHA1
e1a511d2f848f00510f0e7b111024ab74df244b4

SHA256
9e94775e712d210e9ed3cb7171738cc457b5df380fe03832910bfda5833c6e46

SHA512
0acf58da43a7ef99e670876156af1973525d48844da6ef072c36bf14f6f9db14ddaed13edd92166d2baffa1d94cae9f926d02c27304b8b072fede967bd5175f0

Download Submit
C:\Program Files\7-Zip\7-zip.dll.exe

Filesize
162KB

MD5
54657061b7e3778243fff596d3fd8209

SHA1
6cc2e94c6131b443dae026de489a8d14d2a66d4c

SHA256
eb99488b50263ce769979e9ffa7f4075a7313321921b6956c6727544c0d93051

SHA512
54d51a6663bde5107a398127f63c38a3358f943f491d9ec40e92a53779c7a4d90e6d18c866d77582ec627136288448f8053092d67d48caa136b18ee951aee51f

Download Submit