1a9d186b846c0d3b95bcef5df2b38a46e0567b870a79a4d9aa8f7cace943a237

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73b647f06af8336c2fb61faa0df80c70N.exe
Size

40KB
MD5

73b647f06af8336c2fb61faa0df80c70
SHA1

1daf51e1edd3ddbebfd560ea2530c7af34ba4381
SHA256

1a9d186b846c0d3b95bcef5df2b38a46e0567b870a79a4d9aa8f7cace943a237
SHA512

5b969824714af3d7ca11b2d48de3a23ecaaebd5e95c097fb3dee28e9013c014dbfa6b8ffabacecf20deafa7a8bfe946d098b693b726dd316e61d29bb25173dee
SSDEEP

384:GBt7Br5xjLdbAAgA71FbhvU8g0U0fLMzyKbNzzyKbNQqvpK5c5w:W7Blp+pARFbhBgnKLMWK9WKTvpK5c5w

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3334) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Hobart.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\bin\java.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\bin\hprof.dll.tmp	73b647f06af8336c2fb61faa0df80c70N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf.tmp	73b647f06af8336c2fb61faa0df80c70N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73b647f06af8336c2fb61faa0df80c70N.exe

C:\Users\Admin\AppData\Local\Temp\73b647f06af8336c2fb61faa0df80c70N.exe
"C:\Users\Admin\AppData\Local\Temp\73b647f06af8336c2fb61faa0df80c70N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
40KB

MD5
2fa6ad2af753d842413aa636d52271ba

SHA1
c27fe6a0a6a8be01e89292b06660016c7a147a9d

SHA256
7fa26fc6d0ff86fddd4b563081f60c449a7194a9db8f2023f541246c343ee17e

SHA512
1db65a8f4bd35717f92bf5bc9c414c17e4a6622c9206d60665ac7b0abfd6d871ee205a51a53da2c51fd6f3fa020e340d0bd46b18e768c5e9d0055454fe02346b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
49KB

MD5
37f2e86ae9d7738b501ce1b8caf4d72f

SHA1
66c021e88cf9565bb70e740aa2c57183181b89f5

SHA256
97a875cbe0c7aa8af84c881664fbf1de20125cbbea56e100a90f507593f05401

SHA512
5b51ae7a65abe6cfa477f3f3e02aafaf098aadd587a11060f58b4d2dd6a6bfcaab417aeefc76d05ede612d8a32a6c543214dce1b4f8a9e8c8c2589fb33df84b9

Download Submit