f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
Size

37KB
MD5

edf1d402e90437214c83932626371bb7
SHA1

3519acc63c888a9a11cd5ea256f3dfe9614b909e
SHA256

f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469
SHA512

593a122c5d28459ebfadccb666e30fb5c86c81c0cfe79a9fe66d21d521b4f166b69271e4e520009b9a2c10693d4a9fdc4f5569098310f0816e2fccae368ca61a
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzYlzGAlzGY:/7BlpQpARFbhNIAGoGY

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1170) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Internet Explorer\images\bing.ico.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\rtstreamsink.ax.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.tmp	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe

C:\Users\Admin\AppData\Local\Temp\f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe
"C:\Users\Admin\AppData\Local\Temp\f96c2f78a0a16561f8efecd83998e8496976584b18c6d8299572e7a77243a469.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
37KB

MD5
7844f19b6c7d9e57433a9db52bb57fe6

SHA1
5d4b0056870d85c00e54761ddea526b5be5525a9

SHA256
85d9c1c6e170d72ca48703aa5a25cfac4a975261e3c6266d6bfd4ae8924cc3ad

SHA512
447a40360a95662677cb68003edc264cbc1561ba172f6ab0e4cba8c736632f63046f12f83d89895a53e3e8f9c79cd60492591d7dc8418e766bada924db1364a5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
46KB

MD5
936725ef695fa29d0d13a3cc23b21bc0

SHA1
ea2960aad7d1d3d37cfef65c61eeaa04e81dc2e1

SHA256
778877fe53e5060a01b337a24796eda47bf1edc592a4988e03eea6238305ec66

SHA512
34725de04d77356f6d287b5824d257a9ac235e60cc29ece04721128a7082d9c8abf2c620c7e94fcda48dc50057ca08ee31bbd97bd3a3b131bf15ecb38328289e

Download Submit
memory/2596-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2596-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download