29b4c5e81ac9e87d5197a1c7b182447c1b58b54861d3295d06a9498aa58e5255

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0643227992fd60411400fca2f7f5bd50N.exe
Size

42KB
MD5

0643227992fd60411400fca2f7f5bd50
SHA1

db7b616f78681b6a2fdffe1525ca8c5c1bd37a38
SHA256

29b4c5e81ac9e87d5197a1c7b182447c1b58b54861d3295d06a9498aa58e5255
SHA512

9411b7aa5e81c2ee39a464a3673e8c5014f0e7c3e7c1160a7176386c4aebb50d7a483b5171b992be1856d3166f96b1c3afddefa6750221914bcb3fd0d59d8c07
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpT4wWklr:W7ZppApBULcfpHLcfp5WQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2978) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Recife.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core.jar.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Accra.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\SpiderSolitaire.exe.mui.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Phoenix.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nassau.tmp	0643227992fd60411400fca2f7f5bd50N.exe
File created	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk.tmp	0643227992fd60411400fca2f7f5bd50N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0643227992fd60411400fca2f7f5bd50N.exe

C:\Users\Admin\AppData\Local\Temp\0643227992fd60411400fca2f7f5bd50N.exe
"C:\Users\Admin\AppData\Local\Temp\0643227992fd60411400fca2f7f5bd50N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
42KB

MD5
727da55c22158303ebc5511164d693bb

SHA1
1c967663c244502f0c626746f11ede1268f74892

SHA256
a19737c9e783bf3f1e79189a2750593f000e45b28a5e7720fdf3c5283b34caf5

SHA512
1056b6068a27cb706154f9a7bbb5d9947373e06a86759547fc77a9b028f72b6e1898c7ca5df240f48d0da7dffb6d8ff43f4e90832c6fbde0a00803915c44302b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
51KB

MD5
3d82fe20db912165bcc6fa37387885fd

SHA1
8c0dd0b11dd4abe611cf2dc43dd8e3b1e0b059f3

SHA256
e1f9fe812c790e4feee9adfd9baf4a30f51b2f70d2730e57897fb4c5fdbc112d

SHA512
6bb55ecfeb9f3ddb28193c23f2c3e24609df1985d73b9e24211b9978a5b9ae015b84d4a81f6b835a9d186dd081832a991564e710c7fed2972ab4597fc21dbc32

Download Submit