8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
Size

68KB
MD5

954d9d976cfe3694d954c9998d96eb0a
SHA1

ef769b39e9415687be7bf906627d8893ad42d5ea
SHA256

8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6
SHA512

f8a69fd5e020bee5d00d07662008381f79e97eebdb273994702e6583978dcf7228b20adadeca300c38a785d32ee5338035590d1a706c56d5c2c9f3be3ce99ad0
SSDEEP

1536:/7ZQpApze+eJfFpsJOfFpsJ9VD6NVD6GUhYTY9:9QWpze+eJfFpsJOfFpsJjub89

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1030) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\desktop.ini.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fakaofo.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\t2k.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe

C:\Users\Admin\AppData\Local\Temp\8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe
"C:\Users\Admin\AppData\Local\Temp\8c9b355c643c7a175e406a8e4708e3d67416dbcb491ced63ae436eb628bac4f6.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
68KB

MD5
8440f3fa823ac3d33adfb700825a42fe

SHA1
65148227ad9412e55dcaa73824a81e50022bff45

SHA256
c7085f201727869fe81177f2f47ba9759d30847239356c0ddd38070e22981e9f

SHA512
a5dac385298f1626dd8eebd8a8466f5c58873c247a30e657f8a6bd4458fcae2d3e61391a0b6f46c96340912f71a02066780b7874bab1d31ef24b406f09195e94

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
77KB

MD5
7daff43a3bc5058558ce77cd90a5b4d8

SHA1
0ddf0231657fb9b5e64b3650de6bb7afcc4ceba0

SHA256
d9e88a91e2fca1ff3baa0abb318bdb62910443fb3b4c522bb78384ccea44e672

SHA512
0c254881f59fea24397e51b63a6a25ff5a158eb6a3ab5358729b9493b14301b0dd8335a6a8858b2be199120b08bdb2cd2ada6dbbc0b506473e013074e867b6a2

Download Submit
memory/2220-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2220-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download