6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
Size

38KB
MD5

ffe1a64d435b37073fd2a292e574ebe9
SHA1

de6c2be2b6da8eac4f3cbd7fef6ac102803c2c5d
SHA256

6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242
SHA512

88253431fdbdf1fb3514aeaf0c07a851dc1a0c0b1afafea55c2682d9d35042d24066e3e7adcab5ae9d4b5a36ead91d0948cb0a42db9866e53a17ebcef11a7cd9
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxje6OMmy6OMmFMQ:yBs7Br5xjL8AgA71Fbhv/Fzzwz16U6n

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3872) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.resources.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSetupPS.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\hxdsui.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\library.js.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\Solitaire.exe.mui.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\settings.css.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT.tmp	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe

C:\Users\Admin\AppData\Local\Temp\6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe
"C:\Users\Admin\AppData\Local\Temp\6c40dfade023fe220f64dd84f945dce094870db725b1e8f80f45a6af1dfe9242.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
38KB

MD5
afc91de1ae73829b576d6be499e3f053

SHA1
31fee5b47f55ac58eca43422990b399460062785

SHA256
40f2f46ded85a6715d0d25a9061bb5d6da5c5ee44f0e4a25bbc84b42cb7769b8

SHA512
088a7ee2e3f34967f02cf84fa73b9c91e50c8158ccd67abcc3e3353ccbfad346eb4ceb5bf03d73eafcdd046fd388c0ec28b24ad28a12c04472343ae980b41ff6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
47KB

MD5
6149cc57efb482c9412c16daa0eaccd2

SHA1
cf9db1ee38b3e45cb0a42c25c88dc0a146d2b111

SHA256
6ca8e8bb204dd94de246329186ae833e6b65e3c1e134218606ab715ba06ffd2b

SHA512
2c9acf9eff9f6c149e2877ac82eca0cca9a2200287ad7241886b2d22b14998105bd0020ac686a9b7f8f3c98b9fabb0b1adcc72280727be21606380760f4cb6b8

Download Submit
memory/1392-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1392-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download