670a36b1a8ec36e4242082a11df51be3e5ceb191abae7cc688f5742e2e29bd83

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8481aff05cf34d06cbef2bda80792700N.exe
Size

35KB
MD5

8481aff05cf34d06cbef2bda80792700
SHA1

fa6d71acf727bd759cb8b272688cbbdfe64f89ed
SHA256

670a36b1a8ec36e4242082a11df51be3e5ceb191abae7cc688f5742e2e29bd83
SHA512

f6d76f62da99480642246f4cc17032a4f3beecb7405b7011342e06be82f4d2c608fb160480f7a2a32e0ae79bdb822551dbb2c875dc36a142ec24ddacaf70d45b
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhvYYjYHbJQJbwXK5c5Llv6Wlv6d:W7BlpppARFbhjbhQYjY94OK5c5J6a6d

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2901) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Mozilla Firefox\ucrtbase.dll.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Belize.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\Minesweeper.exe.mui.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Malta.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.access.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Syowa.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Toronto.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgRes.dll.mui.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll.tmp	8481aff05cf34d06cbef2bda80792700N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp	8481aff05cf34d06cbef2bda80792700N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8481aff05cf34d06cbef2bda80792700N.exe

C:\Users\Admin\AppData\Local\Temp\8481aff05cf34d06cbef2bda80792700N.exe
"C:\Users\Admin\AppData\Local\Temp\8481aff05cf34d06cbef2bda80792700N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
36KB

MD5
9a5531b8bdc56ba1723778be6c2fee1d

SHA1
bd30be0fea9f621141fde28e967f0f86c0909f93

SHA256
500f2eb0b3bccbe2c53f2b28414b1e33b5045dd02ec62b7bc340d2803e03663f

SHA512
c341f9a15b11ca4c106e8cdf0bbb2a27c7d3e5f0858ad3c6e3eacaf02186f102604aaed4bde5d6c59a0402eb3ccc7d3b3d3663ad7a2c64ecb3e8c66a609af76e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
45KB

MD5
64d3950584f9892950fa60e2d0788b83

SHA1
95d80f8ef8f4b3aa6760d8386ce84d84d5846dfb

SHA256
fbbe74f27a8f5bf65b0cb3393edd8d6b9ba1405d12932439664b6fbb6fd74dd1

SHA512
886cfd13974ed124f6729f01be43b69d682c3af0f6964e5e5b498dc3c6e40e9800006b99713505476981136a64dafce8505ea53a5c795dc29d71a1b1a62a524a

Download Submit