36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
Size

39KB
MD5

57f763c6c4bf06633dfa30581b3f99a4
SHA1

abfdfed9b6f6403e8bb30f32127c44ecf3e3d89c
SHA256

36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77
SHA512

8eef37ada69e4e692899fc287aa35d29b9e2b2a43d435acdb8bc074476babc11f1efefa898741d0fcbf97a330a482e17265a3bb3f6e73eb47b7172f0b0fd96f3
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzfIfHLW/l:/7BlpQpARFbhNIV/l

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3770) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre7\bin\nio.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Windows Mail\MSOERES.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Adak.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Metlakatla.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back_lrg.png.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac.tmp	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe

C:\Users\Admin\AppData\Local\Temp\36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe
"C:\Users\Admin\AppData\Local\Temp\36666a098639ccefb25fdb2d09fde93c86128552132445d5189a6305e8318d77.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini.tmp

Filesize
39KB

MD5
68a3dc5470ef2bdb25aa2abb966fca48

SHA1
cab11841ee9d24eb12249071590489d55fd09c02

SHA256
ac2fe87b4b9b6bb165466e0ef60d52b4ad0188d86e4a61ca0dd872a8bf7c558d

SHA512
a117295d1d2a0775218444955c213b0c6fa5674ded0f0da5d6f69db82c3ab4813a5b67cdd85e008a74517ad157ff615a2928747d164b9b394e0ad98f0f0b8f1a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
48KB

MD5
651cf4130a36cdfe07dd975062ea44d1

SHA1
7632cfb8190cb7fb539d4ec4b9b353f732ab2eca

SHA256
76daeb43fcdaac93525600d234d8f776540c9de8752200e5e73fa4f0b338ccae

SHA512
83c032441a54dc3c8263bfde9dff04de0bc8122d72252ac4be8024810a0a1b2043ddfc25c0a6a89b783e96cf6fcbee36c00915391a3c9d292b39ceaa92753899

Download Submit
memory/2344-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2344-660-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download