382b3e651bc591cba9d7b5b0c17a5bc0bb17989cfc9d1ace7dff298cf3aa5e66

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
Size

57KB
MD5

ca2c585bf3b5fa73963d44a79e2fb5d0
SHA1

fd7c6d69e81b7d5cf6a20b816cbeecbc192bd0f4
SHA256

382b3e651bc591cba9d7b5b0c17a5bc0bb17989cfc9d1ace7dff298cf3aa5e66
SHA512

61879107fa750b6a235fd691eb689ac3363466d460d9e98ef0e5c8cfd466c7e1271e73b39d669ad865c954c5d486e9ca85e2066f5897c4510df77b75ea0b2484
SSDEEP

768:/7BlpQpARFbhIYJIJDYJIJxfFpsJcEKLF/MF/28HaT9d:/7ZQpApze+ejfFpsJPKZ2e8HaT9d

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chicago.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nome.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Wake.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\bin\net.dll.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\bin\JdbcOdbc.dll.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Panama.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\security\blacklist.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jre7\lib\jfr.jar.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.tmp	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca2c585bf3b5fa73963d44a79e2fb5d0N.exe

C:\Users\Admin\AppData\Local\Temp\ca2c585bf3b5fa73963d44a79e2fb5d0N.exe
"C:\Users\Admin\AppData\Local\Temp\ca2c585bf3b5fa73963d44a79e2fb5d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini.tmp

Filesize
57KB

MD5
f9757d9ab488995c8b998711ac7b76cc

SHA1
84a93480ac305aa84633982ed673c60804eef46b

SHA256
6cf89b73d86d90425b20c28ecbc259af412e29069139f949d31eb4b1448509f1

SHA512
49218b50328cac1608df8a5bf6fced5ed7e09cab877fbc3fe3c941638eb4df92cd925fd0996de6e1b9e280fc74a532663a1db7f04c4b0a57512aaa243f2565fd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
66KB

MD5
49ff7d1ec39832242be49c58b2044e45

SHA1
78a9651933d249feb8bb2ca7384ee04913fa0389

SHA256
c159eaa2feae66da739378a2beb479a90fac63e71c599a8bda66c31adc74e874

SHA512
6865f6e1428577035283c6ca8624c549e45767d15eee5a86a44394ed577bf42660168fbf53eb25da0989cdd72e7cb1806e1170db8645898076187b9c169c1714

Download Submit
memory/2284-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download