4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
Size

44KB
MD5

6c5b6359d4c4955836783ebc2f11467b
SHA1

bf83d2df53d2790699701d52a9ac229d1babdbaa
SHA256

4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9
SHA512

e888499c89a059a5a7dbda50f6fe2faa86fbacdc3452b205797f649e87a24be015b8e0ee4b30ce46965f999dcc583831d3135c083d069000726dd56e15cc9529
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNF2B5dB5m:W7ZppApBULcfpHLcfpyD2jdjm

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3818) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\t2k.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Tashkent.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mip.exe.mui.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipBand.dll.mui.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Panama.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Common Files\System\msadc\handsafe.reg.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Antigua.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jre7\LICENSE.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACERECR.DLL.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe

C:\Users\Admin\AppData\Local\Temp\4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe
"C:\Users\Admin\AppData\Local\Temp\4943cfe4ad8c088c9d5ab0f85804b343564446b7264a6a4b599468f7c02a81f9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
44KB

MD5
335a21b87fa81f6c32ba0b38096e40e6

SHA1
4b851142a246abfc52a29034ac4a2bb0b16eb1e6

SHA256
2565f66d96842fa3e857146a156355131cc9577c036c72b14a27f3f4a51067f5

SHA512
f8fcc22d31f9e58424c35414c762b70138665ab70f270898a3e07eca81620191b13f43246b176cb89f041bbecf232db407525b4fb2697e95c9ab5d473fcfa829

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
53KB

MD5
d2b0ac510dd855ad2a0af7d0e4f643dc

SHA1
ef265f6438fd34c42a9dc358ac2611add24165b6

SHA256
da1de6d3f32060590c259f349fc42df0ce1abb9b38cd3e06fb08fda5091967b6

SHA512
4db51b7b634403c7e5419a5612b0b430c9bcafcf8c9faaa3a810bae6350bcfee3b9f55abf85a78f1e700f425114bb9c923b7460da6ad899b82e42755c5b2a20b

Download Submit