b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
Size

61KB
MD5

33f430a56ff7f806bf9d327b581136d8
SHA1

75ce9415e686fa88f8b94b38eb36d9a65378e33e
SHA256

b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f
SHA512

220613221ed736a43b606c4cfb57385ca59f8d603a337766846cadf7813013e4c3fe7eff362e59422c0fd16d628853258d0c7f290fffa545d16028acd77b32dc
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfpVF/MF/3Nw/Nwk0cEMdV8IEMdV85/SD:W7ZppApBULcfpHLcfpX2/Nw/NwmxXD

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3824) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down.png.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jre7\bin\jawt.dll.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jre7\lib\zi\HST.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\VideoLAN\VLC\libvlccore.dll.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ShvlRes.dll.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUAUTH.CAB.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jre7\lib\meta-index.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\settings.css.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipBand.dll.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jre7\lib\ext\zipfs.jar.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Journal\es-ES\Journal.exe.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Halifax.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Currie.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg.tmp	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe

C:\Users\Admin\AppData\Local\Temp\b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe
"C:\Users\Admin\AppData\Local\Temp\b854a4a276d67caab6b4a65c737ed9b742828957be905120e3500b137843431f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
61KB

MD5
2ec157653a14f862a992579234438a1b

SHA1
3e8e726bf7f1b0bea395b6ed5db1b519ceb4e4f2

SHA256
15c159bb3e4c77798c4145016fdf59af3155676f670a95ee98d58cbdc5481091

SHA512
30237f7233d629109947035f2a9e1afbf441ca743e5f61b5729bfb9d2b1eba166cce0d1ebb2f3a747b77efb25002049cdc3e54c08b72ba49bd685c726bbcdf86

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
70KB

MD5
3962bcb652907b20ce45512411c97b7a

SHA1
2904192234457b36862bf304a09c375fd57ecb7a

SHA256
e429f2bdb38b9042f1eae65b128c7f834027b68797e49f580fc20e3a242d3677

SHA512
9e4e327d07541f0abb29ed6bf69292e6c4e7543abfc717cd01d5d8bb78042606e2550f8d5951e4c885f368f30c4798e3236a2e01a81ee0a08fc6f384fdf06530

Download Submit