29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
Size

45KB
MD5

7a6b591712bcdbcf4fb06dd31bc140aa
SHA1

6688907051e105ec84f723cb257b7b152c6f55ed
SHA256

29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57
SHA512

3dba4d8bbe679ecac7683b5dbaad4fde3ae7346d522e11c03370eee5aa7e1f4879156bad858ed9d7246e7e4a8e6fa5c91db3b3830b7e5db9aba9f593a24313e9
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBNQFrs0AqAJwO1AqAJwOfF2JouP2JouQw5A5b:W7BlpppARFbhHFoqAJwBqAJwRJofJoTL

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3770) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\RequestDismount.mp4.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\view.html.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\bin\unpack200.exe.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\lib\alt-rt.jar.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Sidebar\de-DE\sbdrop.dll.mui.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows NT\TableTextService\it-IT\TableTextService.dll.mui.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dili.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgRes.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\bin\server\classes.jsa.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Journal\Templates\Shorthand.jtp.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml.tmp	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe

C:\Users\Admin\AppData\Local\Temp\29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe
"C:\Users\Admin\AppData\Local\Temp\29f0d3e21b92fc7b13c7162b49c2752edd01730e33e09c1ceb1b1af6886abc57.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
45KB

MD5
bf29f4534c7da61d34ab71743ddc86e4

SHA1
a78da6b7dc7d1e80860bbeeaffdd230d85732b42

SHA256
d49764042604e30bb03e2585c63bc17a5cc47972bce43d7c570bf6924b1284cd

SHA512
c4c891990258e6a5279b07d67f2017a353b9b8f84a2f299a0f71cc84cb2b767e0baa739d1b78eaef331bb315471e03c8b450cc2548d628568a43be595519e0da

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
54KB

MD5
27717341932ff38a97c1d0dcc976c8d9

SHA1
e8e581a9b07b0981f98981a7fc4037995e7acf7e

SHA256
12ad46bcc5f5a813bf0a1c80f9926863d882a641113d8d7d69161c35bc0ee029

SHA512
ce46278545353f9c0e917ccfdf4e383f346a57de3c7172cf90ba3f8237ed15a11d001828626dea61b8515872b0406ba56ac96705ad8aeb2a6a7be37d00b738e7

Download Submit