04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
Size

57KB
MD5

4f487a9421f5ed437282d652384aaea9
SHA1

eb831359f8b18fc55cbe3f4bdc8f519cc521088e
SHA256

04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca
SHA512

98ed997bd45eed1f5559e35fb8b51a62348e1e38ec57250b1dfd8705c0e40461f51686f4c831ab714ad43a88cacaca15c6e88b0dc163dc961f405611c96a495c
SSDEEP

384:GBt7Br5xjL9AgA71FbhvuNBNKVkVYlIAItCCIntkntV/PMpMf1Dxp1Dxw:W7BlpppARFbhFAxC7ntkntV/kCHRw

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3800) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Moncton.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre7\bin\javafx-font.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Mozilla Firefox\locale.ini.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.DLL.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Yakutat.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Simferopol.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\Sidebar.exe.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe

C:\Users\Admin\AppData\Local\Temp\04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe
"C:\Users\Admin\AppData\Local\Temp\04fc3f0f6329e752af1c53cf4761b3dde41352918235253992a717cefa160eca.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.tmp

Filesize
58KB

MD5
324400bf8a7944e93840ad2c879735df

SHA1
341701dfcaa1bf40975db4719a8f39c82efa15f9

SHA256
07a6042a56264c662d08634b2d26cf64c3b11662d4bb5ce0867fa9d7ef6e5f8e

SHA512
b8ec61b6d9766e23894143205f8360952d6dfd22f2c5370df04966d738fe6b285603070f50b9c3354dfa27e3934e43a2b372c95cbb05b533b2e00df152c10b1b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
66KB

MD5
4cd70d98b96836e8b8bd16ebd88cc39b

SHA1
1506a184715e83c12b0a893ccca183f3282616e2

SHA256
d2a109bae403e4451c4f44042396c75a9d82988006f5ca2577f9c83f46d5494b

SHA512
01d9e17e048ca1e2592d54b3a11e610057140d3cce34227f16033fc654f856518c5296b0db8648f554de9dc282455995bd3557bb8a4c0715a555fa6f763f51cc

Download Submit