72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
Size

46KB
MD5

c268e88839037c3ea70ac88f88eafba1
SHA1

aaf4a4f4a2838aabe5ca3600358ac25e8f89638d
SHA256

72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb
SHA512

6c1508b340b91b66f16247bfb3d9a74d45bbe429e1c9d2b60651052067f744f5c5e9f70cf12655bc1186e193d618c94e70e672b00719ae0b6d90f66fb787c46f
SSDEEP

768:W7BlpppARFbhbt7Y7wTCg0hcM0hcWqqqn:W7ZppApN0hcM0hcWqqqn

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (1085) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Internet Explorer\perf_nt.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\offset.ax.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.tmp	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe

C:\Users\Admin\AppData\Local\Temp\72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe
"C:\Users\Admin\AppData\Local\Temp\72601aa3270a83f8786fa84ca5ae1d837f18254582993b13e9739eae983f47cb.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
46KB

MD5
b27583bbec3cbe5c83a838d5dcae3ad4

SHA1
e22f0055f6eafa2fe6026b3f4567b4a9b94f74b6

SHA256
9e0973c6a8d59f5ef304fe5ba42bb982479d033527ad95a40d1c7c58643ce998

SHA512
55b1e019aa080e335c3ed6fcb506152cdd92c39107b4006be82a2826e7e60709d6ee8ce8d0358bad5b8724935afccd698a01c75f35c56336c057fcd84d71c5af

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
55KB

MD5
5243419c6351281e4882480e480a3324

SHA1
9aef686b9cdb6cd93e015883788d59f4bc45d55e

SHA256
a79855bb55c1aa2847b2e72ae2a673a3da8b13125da72de8c7209b6764ab67cf

SHA512
073a5b9c8cc9db1ea44eac3eecb2ad184ff3377a701a80d4a88f8948651302efaf5d54b4ce28dbf692ed612bade67ea0f0baecd25ef1058450c25d5adc316272

Download Submit