26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
Size

33KB
MD5

ff9ecbec0ceaedba8084ea41223505e6
SHA1

813f4e050811f54eb8e04f0592a73bc65075c444
SHA256

26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c
SHA512

255136888576292f6008ff37f64c5392e9bd5360d4dce639387428603de80f67f031e2fff7bd7f8997e35095af4929ac2264d8e42ccd823e7d529f367b37cd7f
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHhpqSwnwp:yBs7Br5xjL8AgA71Fbhvsdwnwp

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3797) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Nassau.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\calendar.css.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\VideoLAN\VLC\vlc.exe.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\hxdsui.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jre7\bin\javafx-font.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotionblur_plugin.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_bezel.png.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jre7\bin\libxml2.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tmp	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe

C:\Users\Admin\AppData\Local\Temp\26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe
"C:\Users\Admin\AppData\Local\Temp\26a90f36b8c8521260b85814fa6f84b227ae268b2e21f1914ee752669131580c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
33KB

MD5
9d01247fb9942f0cfd21fabf245d5e9e

SHA1
95587c28072b24a9e5dac049649310585ca5c2d3

SHA256
d313d44afc09178ecf8252facea93e10bd4f06e5a76edace362351e7cdcf82ab

SHA512
171b33ab9d5526eab4a94a4c1ee1d1874a0eaf13c1863b85ecd6b66a28c6fc79ea80fd2dc371abaaefaf379a28ac46cc87a0d74dfce2c52859e7d801a8da5abc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
42KB

MD5
c1d2d5dc4acbfe4dcd89343a945201d7

SHA1
bf863151bdae9ae3ad8ca0b8bdcd924c01315400

SHA256
c1d35b20b6df8655120ca647d0b245b48363df19fac0347bead5c4f6d4589055

SHA512
10e708d81e0b3b1b945e72dd7f93aa4d746e6d6cc9605d71e2f39091b68c68f308a019abab7ebc3f78d74b3df266fb3852a661ae2c4398f99eab79394800b205

Download Submit
memory/1932-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-668-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download