e67efa169a1d2e25141a4b83616474c90cb9e215609d2052fa66d467a6244fe7

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

864780c3bfb3f858695959432ca92690N.exe
Size

64KB
MD5

864780c3bfb3f858695959432ca92690
SHA1

fd7d5b16c4b1b2ab9974a0f3bc72fbfc7394227e
SHA256

e67efa169a1d2e25141a4b83616474c90cb9e215609d2052fa66d467a6244fe7
SHA512

8d34ca285a52df6a072b8fa496b8e0bceb02e0367597135fc54d83bc6468ba93a7001763bcf5917e1958076064e6f005d62d22bab363ceb49a504e76d3a8e86a
SSDEEP

1536:W7ZppApwEwnmJARJAaXxXNJdkCKPuJdkCKPm:6pWpUnDXxX5

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3168) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\ExpandConvertTo.jpe.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre7\lib\ext\localedata.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre7\bin\javafx-iio.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre7\bin\jsoundds.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Mozilla Firefox\firefox.cfg.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre7\lib\currency.data.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Karachi.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Belem.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Riga.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html.tmp	864780c3bfb3f858695959432ca92690N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp	864780c3bfb3f858695959432ca92690N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	864780c3bfb3f858695959432ca92690N.exe

C:\Users\Admin\AppData\Local\Temp\864780c3bfb3f858695959432ca92690N.exe
"C:\Users\Admin\AppData\Local\Temp\864780c3bfb3f858695959432ca92690N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp

Filesize
64KB

MD5
1391d6dc6b5f530136d193fa440cff33

SHA1
e62b8ac41202dfc3ee6d619b6797f480a23db372

SHA256
a869a5da681132330234c5cab015aa626153777d4304097588404741dbb7e675

SHA512
d0b7438c06e6b600e254d5fe415757a978c88043e19ae751c8a54d202a8b1ddaa10c680e1b739a4746c0c16e5a26787be462a5673a099d7f7b66344d598e0ef7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
73KB

MD5
9c0fdef282b5016ac0cd1b725a0cfc35

SHA1
75da96dedf9b3def0a542029bccc4e128ba5197c

SHA256
755b0f5242e398e6f2843c18fc0250fa03f445d43d2f6569583ffaa08f9b97b7

SHA512
6aac4a9915345b30223161d726a3ee4fbeab5a8c9b760535f77fdf8980120fc09523d5d5bea0866c849d1646f6bba31bbfce946862a53c31d353de33a118abe0

Download Submit