Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 04:18
Static task
static1
Behavioral task
behavioral1
Sample
b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe
Resource
win10v2004-20241007-en
General
-
Target
b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe
-
Size
59KB
-
MD5
0180e5341d547a9f8c44e0ee1e1ef960
-
SHA1
f7263447cb893b7c67605e932a9a3d879f56ba55
-
SHA256
b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55b
-
SHA512
e5148c5b90975d2908a074c4094761f9097e341afbfe3078c6b7e23db65e4b1f9c8f9f9da63fc6bb9c9c4a19589320291d7677980652e4ae7b9e9ed2c345fa07
-
SSDEEP
768:W7BlpppARFbhHFoqAJwBqAJw1VyjVy/3sY1YxwDwI1Q1P:W7ZppApyVyjVy7UO2P
Malware Config
Signatures
-
Renames multiple (5044) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jsound.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sr.pak.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\7-Zip\Lang\tr.txt.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-oob.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOHEV.DLL.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\7-Zip\Lang\sq.txt.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\DisableRemove.xltx.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Overlapped.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe File created C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe"C:\Users\Admin\AppData\Local\Temp\b0c5c6b79356a1895afa0276e71a47838a0bb4e2771d45c626da6fefae5ac55bN.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5d892a7fc1e1a9e76f5c1563383ecfe2a
SHA16b7863565338097acb094a805fdf20f382448462
SHA25626c2f57b1e47d3494de416520880695a2ffb25cee5fbd6544cab24b5f7f6c40e
SHA5127c152f7f10a1777dbe00f88f908fc9f79b2bc0916a1dca37fecd126be6218f011fe1746167707a9c3a9d2e8e1a494c8418fce2fa77013750cc7b6507b43ada3c
-
Filesize
158KB
MD5991226aceff48f4b53b3688f3680b787
SHA1d1a9b82b33ce2fe7a49909c73385293f25355545
SHA256a51039b96397a93dae4f481cb9fc6197e88831edfcb3ade46a824b1405584bd1
SHA5129f497f547df7a47e58a232163cdea585520f50e879760e335776feea9dd2b6620b10ef990322d2a1329d1e41d46b77b293099a4b3bfc4cc9322851c9477ff785