b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
Size

44KB
MD5

7a3770eb9620a0bb2989536e38ca94d0
SHA1

e9bc9ace1a13230fadb61cbe52e728334cc5f1af
SHA256

b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70
SHA512

608e8e0afff5941a37e71e6f3e0759d26b353a5ba1c6289584098075a5c7030b6bb5929f3f20704be7d35743949735fc153ea6e30692621aee6e6b218652a05d
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/Fzzwz72Jwuq2JwuR0U0IS:/7BlpQpARFbhNIiJwsJwwnZS

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4654) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\PresentationUI.resources.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Immutable.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Web.HttpUtility.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.Forms.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClient.resources.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\D3DCompiler_47_cor3.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Forms.Design.resources.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe

C:\Users\Admin\AppData\Local\Temp\b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe
"C:\Users\Admin\AppData\Local\Temp\b8d0f64bc98553db3d61605769c80359f546661a5d8c7ac8029c1d63e735de70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini.tmp

Filesize
45KB

MD5
2869f758b7bbf1b8fdb22e62198630f5

SHA1
2c07c10831cc6d6d5964d6d2960fbb66344dcae8

SHA256
0c3ce5b4a3901432e8820ed371b16e01e02b1654e071ba572ced5bcd70d41e75

SHA512
4d33edb7336085028953066642cfc1add78f50da4b216975fff46a3186bc997d9090e67df758943820a1463a019edbe69389978cfb93e0c940192e5d14422f82

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
143KB

MD5
1e709494db07b7cba5f57bc782c88e75

SHA1
e84a82e5a3b7f0930ce469f93e890a3de3eadb39

SHA256
c6f3e318f1b828457b26c31c38de304981a361b034e48340d6e327dbd8bbfc85

SHA512
6495ca83ccc8c5d611e73ab3024355176b8d98ca3166ac7e6c37451686b27c544debb5a7cf6471d5276b8e2579c09c2cdf20bc31692e9b205dc2ea8773acd28d

Download Submit
memory/3736-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3736-902-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download