be81b6175de89ed930e806708b2e31f4e7c762677580d163faffcf965fdf2f14

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 10:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b0ff4bda7638471fed3f188c903883a0N.exe
Size

67KB
MD5

b0ff4bda7638471fed3f188c903883a0
SHA1

c212f19276ff76267bc4902e96f2992c2cfa5d57
SHA256

be81b6175de89ed930e806708b2e31f4e7c762677580d163faffcf965fdf2f14
SHA512

eefcfaf9d511539a735f98ba0dbf62ceb75517e5d121c9161d4b7757c07e5d34c1add2b24219f23b07b85c1b8e311f0dc5c6b33102e5ce0a5c00c5388a1e8b6f
SSDEEP

1536:/7ZQpApze+eJfFpsJOfFpsJ9VD6NVD6GUhYTYk:9QWpze+eJfFpsJOfFpsJjub8k

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3122) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jre7\lib\amd64\jvm.cfg.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\DVD Maker\rtstreamsource.ax.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Baku.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_es.properties.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.tmp	b0ff4bda7638471fed3f188c903883a0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo.tmp	b0ff4bda7638471fed3f188c903883a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0ff4bda7638471fed3f188c903883a0N.exe

C:\Users\Admin\AppData\Local\Temp\b0ff4bda7638471fed3f188c903883a0N.exe
"C:\Users\Admin\AppData\Local\Temp\b0ff4bda7638471fed3f188c903883a0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
67KB

MD5
ea6e70e2a98e1680deda1341ef5b6d1b

SHA1
77d34a856c40a72125d331582bcf359757b97419

SHA256
44760fd5dcb7003cdd31ccf96f6918f1f9301670637ae087c8641eb062291f99

SHA512
d6b2b17f3893f8d2f9be67c9f8bf49abad9064d257e8d6cd71cca1c16cd2812c2cfd8dceeb9f8519a1c3bd85acc2e1f14a85540f8879c8681c432d500a0a521f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
76KB

MD5
1f62dcbc9c6a393a340f04e5eb9b51ca

SHA1
2466d80e9edd7625dc72a3d42e7c4c0c8e1ee134

SHA256
65cf1f5d61db999d9fa898e4b3ad9cd6de7a39ab066324888027bc7573c19c50

SHA512
873ff0f3d3600273e3a4bff2ac350b976dc25e1b3534c862c898a12b4b1c231f8043b169c6f668c0ac4d5ea64ed41cbe2713135b4bb703ec0b586fc8d87434e1

Download Submit
memory/1540-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1540-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download