8b9dff32ba6050cff609e650b09f004d7da9072cb262784d6338042ca1f3561e

Analysis

max time kernel
120s
max time network
20s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1fa272ab36213498b1ea78bdfe94b30N.exe
Size

70KB
MD5

a1fa272ab36213498b1ea78bdfe94b30
SHA1

c47de66efb087b327d9fcb6ad2846448cc69d48a
SHA256

8b9dff32ba6050cff609e650b09f004d7da9072cb262784d6338042ca1f3561e
SHA512

8b18219486dca45e71ef3db314db73aadbd4136571735e5050303f88e05ddeb659f74301c8e12374367ed70546ed94114166cadeff596fb8c8d008103f29ba6f
SSDEEP

768:W7Blp+pARFbhtlmlQ3y3RWvf+wi1x9f+wi1xBTCcX8vgCcX8vSd5hdx8gl0:W7Z+pApfGQ3y3RWvfmRfm9sKsSd5a

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3178) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Swift_Current.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre7\lib\net.properties.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre7\lib\security\javafx.policy.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_ko.properties.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre7\bin\mlib_image.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.tmp	a1fa272ab36213498b1ea78bdfe94b30N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1fa272ab36213498b1ea78bdfe94b30N.exe

C:\Users\Admin\AppData\Local\Temp\a1fa272ab36213498b1ea78bdfe94b30N.exe
"C:\Users\Admin\AppData\Local\Temp\a1fa272ab36213498b1ea78bdfe94b30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
70KB

MD5
2e947e8f4fa7a5b35f915d1f10f88db1

SHA1
c045bec703998ced95322434ed42eddd01e67bec

SHA256
db067a21e72eadcd7ca4c7ffc81a228b17df9d89bf5e47fd874c0fd64124edf5

SHA512
435e042b5199f6e6de8a033696cae0fcad20602de428da4643962008c9c0f31df0b5d9236452d6a3dbd6868e1af1a39ae3fbfdd9791dd64d1f5c1244f4b8dcc3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
79KB

MD5
4a8506a47c3293b6be9f7e62f403ee34

SHA1
042047510bf305e693d0cf4ced4cb80d44e90355

SHA256
f970fb82bf4f02b8e7e17e6a6911fdeabedb9da03a85bb026a285a6b872c9e5d

SHA512
2b79b9677625b64f60839b0f2717d34a9dbecdea537e5763a1f1b2e0e9864e8f99f20c413b26005e07d0db64172f6a8db14d151a96774d06c7370df609540b9d

Download Submit