6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
Size

57KB
MD5

85680a847cdcfd4914f44e0f4d0f4baa
SHA1

d91fe085636624a37633e2e8b242ba2ee8b58474
SHA256

6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1
SHA512

c4177886c695a5f2f9e068a1a755d24fdf62211f52fd91837e15e92cc908de320c5b919b8afa3279eb9f9ecbdb460ce3f59bdb48ec47457f22ec185c9abcd8b6
SSDEEP

768:W7BlprpARFbhJ68nNIreUYEreUYX1nzgDgV:W7ZrpApJ68nNIreUvreUunzgDgV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3744) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\UnlockReset.ps1xml.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\wordpad.exe.mui.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.lnk.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Journal\NBMapTIP.dll.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png.tmp	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe

C:\Users\Admin\AppData\Local\Temp\6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe
"C:\Users\Admin\AppData\Local\Temp\6a26ccea8300f4a6078a589fc60bde5e366d6aa1b05a5652fa475be0c282ebb1.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
57KB

MD5
dc6c7ac23906cb74a8532a47296fb3f3

SHA1
c0cf6fc441f6deb54a6225eb4618227e7436ce6c

SHA256
23db5642aad3738ea230f3e68dbe0c174a864cbcb7b484cce1e3c2bc6400de77

SHA512
5bc7efa1e067347452cd1f930a16e42e39d0d1508e2060771f952d81ace88febc43e52a0c85af658392596248f228744475f67426a851b5b85b98861ecdd5540

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
66KB

MD5
176632ea5ebfa81a78a6b0d1929bee7e

SHA1
cd1e84f076658dd757d364e45651b556edae2196

SHA256
e7556c142109b44269713bf95fca314508acd982eb2cb47a6ace9f05469cf6a5

SHA512
b928572fcc2b3d0b8318337411c7140894e043b322055f63cd9655ca282fdb430f08b993d27a2f7e82f3849e3016432c1aacc986b2204d49dc2743f3a7bf2ff9

Download Submit