bbd60ca3540fe97307e2df085a8448eb106ebdd0aded444f1c65a816b66d6a70

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2991403734f6df99b2795e811b92c650N.exe
Size

292KB
MD5

2991403734f6df99b2795e811b92c650
SHA1

66eb3fb7fbd08fc669540ac61d7d66fbad00b52b
SHA256

bbd60ca3540fe97307e2df085a8448eb106ebdd0aded444f1c65a816b66d6a70
SHA512

c3714fd7dfccaa9062e618ba1ecee75ba4ac2ae8afdc58b83a90e8c7b3faa1b23df510639897500a13fcea0172c9ef68daa6ff97b2690cd28b7b10d70a235c5d
SSDEEP

1536:W7ZhA7pApaX0aX09rDVMFDwU5LenTpnDr5LenTpnDRSfuYa3bztYtzZrZotYtz1W:6e7WpGlCK1I1LyV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2083) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\t2k.dll.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jre7\bin\jsound.dll.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\DVD Maker\Shared\Parity.fx.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\desktop.ini.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.tmp	2991403734f6df99b2795e811b92c650N.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	2991403734f6df99b2795e811b92c650N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2991403734f6df99b2795e811b92c650N.exe

C:\Users\Admin\AppData\Local\Temp\2991403734f6df99b2795e811b92c650N.exe
"C:\Users\Admin\AppData\Local\Temp\2991403734f6df99b2795e811b92c650N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
292KB

MD5
ff393844e8045879e5ab6567c986ed2a

SHA1
d08a632dcbf1f5d666965ab19108c0f254e2d7a2

SHA256
1dac9be5a62f0ad4de94f2641ab7aee5ba1f59121a51aa6e4baa68f8c6bd22dd

SHA512
54b0d223fa9b555630967bc1520381f856a6c3c894cd31b2ca3121f272b3db0a7a5963a55300d549570d0c53b2f61fedcc2965841f0993689710bf3b3dcf70b7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
301KB

MD5
d7724a8729a8e99218b364698ce7b1ac

SHA1
43107e9d635184f6fd28a1c5a858698e8f31c5de

SHA256
df19020f1b16dbf22020a56642a2d6dc01767e413ed17d3740c500a70d739fb8

SHA512
cc5487f1c2a92ff05b60db5dbd1b047f7174b7c4cd4621e5c7e6280f416959c178c05ab86208ae2c7fa5a1413f0fb446819c5913044552ff725d7d9bc5f7c7a5

Download Submit