d7d7150bdf08ff79e2368bf162bd0217993b3b8ae29e35dd539930a2199ce92c

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 03:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
Size

46KB
MD5

3f99f8185ddbfbcce70dcb4a3e0562b0
SHA1

3cedbc2219cd41bdb6c824e59bf5d4809372cdc6
SHA256

d7d7150bdf08ff79e2368bf162bd0217993b3b8ae29e35dd539930a2199ce92c
SHA512

3129ec047a23f9a0b35527dea8957047968f5584d265c85eb52541bc011bb45603360beae2aabf92144f56e4e5fe25e9eb2410a9c08d3ab399d52c82e5c887db
SSDEEP

384:GBt7Br5xjL9A7AgA71FbhvnIH2YsTKnKqtaW3WaEdW3WHYC:W7BlphA7pARFbhvOsTKnKqtkYC

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3075) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cancun.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Maceio.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Belize.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Mozilla Firefox\ucrtbase.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jre7\bin\jfxmedia.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.tmp	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f99f8185ddbfbcce70dcb4a3e0562b0N.exe

C:\Users\Admin\AppData\Local\Temp\3f99f8185ddbfbcce70dcb4a3e0562b0N.exe
"C:\Users\Admin\AppData\Local\Temp\3f99f8185ddbfbcce70dcb4a3e0562b0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
47KB

MD5
db6ae98768a47e405fba32d982d0905f

SHA1
16126fbcfa0968c5c0a8153a9220dae00978f60b

SHA256
292fb99474e91d36afc65b56e703675076a75c0eaa9860578632d1cdc3b56c7d

SHA512
da306fa3b2682a09fcfbc966bc90e570b3478eeb3384d23b4f1c750a23274c2b7fe6c1efb0732ea93ccf3fbb71e88f0d149cc62830336bcd769691da6bfc6b83

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
55KB

MD5
00ebabace810b33c18ed211532d0348f

SHA1
da097aa69738e016a2327fe69c690b122eddf7c1

SHA256
c7843baa11050c21ceccd3f9bce5d8142eba314bdc7a722b5613d27890424f7d

SHA512
daec4944bfc6179f1fcd5fcf9c980146254ffa2e9b70dcf828d8135094908de02ffb3dc813265d4c6da012c7b166d6c0dad6559a5ed16f7eb2fcbca634057af6

Download Submit