97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519

General

Target

97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
Size

38KB
MD5

c6450dc1a27cfdb716e612a30dcf2dbf
SHA1

88d1083df16cc3ab43f687791c5da2a503238013
SHA256

97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519
SHA512

574f3261e64271fb9299b1283efb3bc5d8be1ce73ffe589bf8b3fdaae703254eb5b2ab5e57162d70b55d809bddef3fa9ed4bf21fb6431e1b68df7e6486ff72e2
SSDEEP

768:W7BlpppARFbhjbhQYjYY4F2j3TK54F2j3TKtnv:W7ZppApB1W5WZ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (447) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

Processes:

97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\rtstreamsource.ax.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\FindRestart.jpeg.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe

C:\Users\Admin\AppData\Local\Temp\97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe
"C:\Users\Admin\AppData\Local\Temp\97ad2fb4ae3d41f4eae0cbc1911d484c18807ea009740b4dc65bfb66c04ea519.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
38KB

MD5
7bd8563e75568bdb4c2649da1f65aa8f

SHA1
a5677865d895f8676567e22b7981eca45be5e975

SHA256
bf628c08bf657edc876c3694f670486f520d606ab7f2971666a95d4d7f5433e7

SHA512
bfc265c023b96e9cd822a4e76bfedfc9d3f977e395a89d8d755be46d21b72f404afd970e4b5a289391f5cfabc3392971d75b2adb7a5682eff424ef148a21ce8d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
47KB

MD5
1d8d1b9501343a5731c48c805784b84d

SHA1
ea14564f99826fbf9b314f5a4554e489f0454f1b

SHA256
dc25164a480f719f868d9160e020ea295b2db379cc857fdb295aa799a9ccce2f

SHA512
e92b4c26107f0b7f105829cd7b4db3453131ce97088f19bce2a45d089fd6f2c977ab853f8641bb80dafd508b97b37fd90126441770fa7befed4496d81b3e4df0

Download Submit

Analysis

Sharing