050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
Size

76KB
MD5

d27049c40cab366c49628d2fc190c1ac
SHA1

f074d2814ee6c64ad7970e81d83b6dd36bf0772e
SHA256

050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c
SHA512

c5cfb72dcf0d12e0003c516fc3db41e5bca0e6717689ddf284d6fc01f4e5d403006a70981d96b56786cbdd7de84ccf6f7883418d557b3488e0216f97e7b17ece
SSDEEP

1536:W7Z+pApfGQ3y3RWvfmRfm9sKsSd5GT6SmbIbm:6+WpDfmRfmh2TO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3676) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\shvlzm.exe.mui.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jre7\lib\resources.jar.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Design.resources.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Mozilla Firefox\freebl3.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Barbados.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\VideoLAN\VLC\libvlc.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Wallis.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Mozilla Firefox\update-settings.ini.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\flyout.css.tmp	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe

C:\Users\Admin\AppData\Local\Temp\050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe
"C:\Users\Admin\AppData\Local\Temp\050af7422d7428e0e745bacd28e4fe945fa2a1fca27dd08231326a8f7364da8c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
76KB

MD5
b12d2ec598ebd60d17e1e3ba6b205216

SHA1
3c2452e6e98adef3e5a08c941b8dc70e42402eac

SHA256
61826610fec4c71f0e9a590295d55cfe88447fb53756345c133f486daa880faa

SHA512
bd03b0c12b89352019147a98c03ba46716c84b3d7f9464be49278b9235ed7397d2768e2a84942366dc65f22e5da9dc9967523f69f7811f254404027e543f8490

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
85KB

MD5
fd2b49af63adda70881cd80bf92d2c30

SHA1
2e6fca421d19d857c147abe96b296ba3c2065917

SHA256
dc25efa9461fedd441b6ea6937a7b43e3b2de87fc7032589e3e56b4ee0c4b1ab

SHA512
0b4232af78e37c13fe0fbf1b7f626a3d0fd75930631b3a36beaeee81602806da1dba8a4ab12ef1fc2b05ffb031407a328d14acdf99d9aca69cc44e5576535f93

Download Submit