502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
Size

109KB
MD5

521778a2d91ce4dc1c689ef0e2987012
SHA1

ee57f8c8a9318d6d676bfc31f5beede5f75a2200
SHA256

502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011
SHA512

117921a812a916e359c9af8d28ac3eac3cf5d5c25b23df0bc468b1de46900f965974cc29c0ce3c39be80a4236e1667f66c945aceb8a4e72899db65326f8dd69f
SSDEEP

1536:W7ZDpApYbWjIlE77ufL2e+efZwZQ/8S/8z3MLD9ko9kc:6DWpwE7oL2e+efZwZ08i8z3MLD9ko9kc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3611) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_copy_plugin.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsTap.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Common Files\System\msadc\msadcs.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libadpcm_plugin.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcroppadd_plugin.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe

C:\Users\Admin\AppData\Local\Temp\502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe
"C:\Users\Admin\AppData\Local\Temp\502105e0e73fb04e11c24468c23ddb10e47cefa12c0c1f03a479765e50b01011.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.tmp

Filesize
109KB

MD5
63f7cff3ba25e5736e612899bbd92678

SHA1
d60d116040e1c7a9cd5b026812b19ceee607a301

SHA256
adfcfe2d8dadc3e96cdad43d78fbff55edd5b0d9c1b5049518f3d3a893bbc0da

SHA512
bd5fd02fac98dfe8ff457fb62f8b178beb3df679c2c805371951f4acd517c3858af857b261e0aa0cb235abba73cdf1bf1f4118335d11d78fa433d2c545409a4b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
118KB

MD5
6bdb291322d317a4dc85d923d0faea9d

SHA1
ece493eb3daad89c0d9db190f643d4c615d3e76f

SHA256
e95c90d212d24362133927d2a362434ff07f8e9d4a93f85a38abc45f3b797f9d

SHA512
f076a9da0cb5c2f8ec5b56f362d7a82c1d7fd44ca09e9535a1d9f104ff0f15fe9ceb75cd563af58e738b5bea0b72b13c3d03e284f72888320411d4fc158b4106

Download Submit