a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
Size

34KB
MD5

6bfb04858152de5d46298a316c2e51d8
SHA1

37c203f94814b02e1f606976028bb6db388d64ad
SHA256

a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98
SHA512

31257adaca022273e4563a9fe4420f7bd49c7c5192e27eee9e27886cd75c1e8d8746be1b1562ad879aae6336b7dcf17af106aad9f762e228d6487d42a42789e7
SSDEEP

384:GBt7Br5xjL9AgA71Fbhv7bhvo42L5FgAytBpR42L5FgAytBpKU:W7BlpppARFbhjbhg42LcfpR42LcfpKU

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4110) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\daisies.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\ExportConfirm.wmf.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.lnk.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre7\bin\javafx-font.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hebron.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre7\bin\net.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Athens.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre7\lib\ext\meta-index.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\ExportConvertFrom.sys.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.INF.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guatemala.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGM.dll.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\PREVIEW.GIF.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.tmp	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe

C:\Users\Admin\AppData\Local\Temp\a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe
"C:\Users\Admin\AppData\Local\Temp\a791bfcb06230afc0943a597a4c8b02fc64ade9395f3b79564c299fcf9cdfd98.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
35KB

MD5
e254bf5044695dfb17306d84ec1d4dc5

SHA1
faa76a5971df47eed149b82141a842ba99598442

SHA256
e3164e2d66cf6c4939adfe6a66361cfa9b28ab81325b9535f64553260f157d07

SHA512
aba3687f25a6dfb781597d94ae8eb71e70dd351b0685d6ba701164437e231fab4759cf4df47b0d1a6de23715d44093dd9043252cd1a8d17b23d8e44363539929

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
44KB

MD5
2e8b1f554bfeefa1014cf8011af38d82

SHA1
9bf2a9ad6be183bed188aa378b40df4a9694c429

SHA256
ca54dd66eadb45c7c90c8b29993fce382c0c0b9e210d3dddf3e270a816560f08

SHA512
32195c380153754aa67b6076269ae738eff7d4a3cd675dcf7f7fc9a853e4253e50a3f5c0a1a0e2c8dad672b81f18a467b7fb8da359c3d2289906cfa8c40f88fa

Download Submit