dceab3e1016638a05b0c34b71a5c2df70b77e0758771892cea638761d40e382c

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

614062c4babd45f6c6e3c57555999a80N.exe
Size

44KB
MD5

614062c4babd45f6c6e3c57555999a80
SHA1

fac451e9b71f3a5dcae6be50327134285f39607e
SHA256

dceab3e1016638a05b0c34b71a5c2df70b77e0758771892cea638761d40e382c
SHA512

4e40b0d0a719912d4a876e7569a6f3d14e803896c073dc18c2430fca46c0d27fab0bd5349bf31200d941a1d80b68ff79742436a9b3a60159115b6632794d462f
SSDEEP

192:tACUADIY0Br5xjL/nznlAgAQmP1oynLb22vtI0zWXPXj:GBt7Br5xjL7lAgA71Fbhvt3M

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3248) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-util-enumerations.xml_hidden.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Resolute.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Minesweeper.exe.mui.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\Chess.exe.mui.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.tmp	614062c4babd45f6c6e3c57555999a80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll.tmp	614062c4babd45f6c6e3c57555999a80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	614062c4babd45f6c6e3c57555999a80N.exe

C:\Users\Admin\AppData\Local\Temp\614062c4babd45f6c6e3c57555999a80N.exe
"C:\Users\Admin\AppData\Local\Temp\614062c4babd45f6c6e3c57555999a80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
44KB

MD5
a3d930502afd9a1cf4323121c303f5f3

SHA1
ecbfc18cc1d0e4603bd72ebcc2c779fefc258758

SHA256
6038dd1db8e8642a056139ec731751cbb43ab9361d5339ee5756e281f6c38c92

SHA512
7d2cf9834c498532d461d71a9b838c0d9255dac19700eb37d61a32bc9257954eacc0c76178ddab3b8a313aaf1fd6bd934ecd47d880b48beb1988d3f3241d3173

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
53KB

MD5
4587e9e05f22931205726af71ce484b3

SHA1
36c88e8d1228001d93400a2eb44f996486524c9c

SHA256
cee85c879f4512d27a973e7ec279d6af18e2c1a01b6c58835c6bd027d5aa79b1

SHA512
e3a12c3274b4e864e60e3ca47944c1a3148697e8ce776055323c793ad8a3ce37b745eaa15e1a546e60cbb8dc15fac777da39900b7be5fc3ae5ca4e213b46b962

Download Submit