66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
Size

42KB
MD5

cb90cd040d211af80d5949b5cb8731b6
SHA1

4ea1887c3db523c46e50b32218123ea4c7f440ab
SHA256

66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc
SHA512

46a28454fd9ea1ac4cae79cc3417ede5bb854f5992b869e5beaf8a48b43c85c16bc9ba77f282fef73701361dc3c24c2e09f167f0d52afa0887d89922dd746ea6
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzS5c52dgS1AS1v:/7BlpQpARFbhdS5c52dV111v

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3823) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\security\blacklist.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libhttps_plugin.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\DVD Maker\Shared\Filters.xml.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEINTL.DLL.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_100_percent.pak.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\UTC.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Defender\MpAsDesc.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\16.png.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.DLL.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Windows Journal\en-US\NBMapTIP.dll.mui.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib.tmp	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe

C:\Users\Admin\AppData\Local\Temp\66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe
"C:\Users\Admin\AppData\Local\Temp\66a4ab3187879e74c67793e1a048fef59fbff7114f621e4ae1cfeef98388aafc.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.tmp

Filesize
42KB

MD5
749c1db34ee67e2fd2974687617c384a

SHA1
b1a0856df4d8d0023d325e61cfd405eb74b1dc20

SHA256
190379f20eab1478fdbc52562c48b87f3a807932934a15b01ebafde6e60fc49e

SHA512
bb36de76feaa8c301d423b7eae5973004208ed37ee6eed49fa741b8cefca6a2659bd2f654225ecf611a9dd3a00cb1144c6ccc38f0dd4ce83aa775e8a79ec1d6b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
51KB

MD5
7ac90a6ced19a06b73c080934b5f54fd

SHA1
15dd35ad2e69a4832c0c75d4e6fb2dce78a9cb5c

SHA256
8ef063da4173f5f0b47b9f669d60f1fefdd821625e6185d53d820cf8be27e043

SHA512
db21c0915b7b14432de0b2731ebace46074341e6d2090cf5df2a9c41ad991e6b1efb70580cf865e43d4ed50164ff353ec654800e5b79dae044cd8a4242ead996

Download Submit
memory/2232-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2232-664-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download