ec18e086e1b1db956b7016fea9fdb8195813b2ce255512ee69a414d066a2338c

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 12:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c606ec631662cae5ac8ce920a84b8420N.exe
Size

79KB
MD5

c606ec631662cae5ac8ce920a84b8420
SHA1

93b0e3631a0d66145840c12b288915d425fe735f
SHA256

ec18e086e1b1db956b7016fea9fdb8195813b2ce255512ee69a414d066a2338c
SHA512

891b8de97e1bee07a35f68f78064ae234ecea6ba76c81eef3d6ee39cd286db30181ec159ccfe4fc6b14d24f96b190bdb3203c8bb73578d346f142a08fc208a33
SSDEEP

1536:/7ZQpApze+eJfFpsJOfFpsJeFrxFrd462:9QWpze+eJfFpsJOfFpsJ0rDrN2

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3106) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Yakutat.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\bin\dt_socket.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\bin\jfr.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\bin\mlib_image.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Atikokan.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\bin\fxplugins.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jre7\bin\wsdetect.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\shvlzm.exe.mui.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libtcp_plugin.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll.tmp	c606ec631662cae5ac8ce920a84b8420N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c606ec631662cae5ac8ce920a84b8420N.exe

C:\Users\Admin\AppData\Local\Temp\c606ec631662cae5ac8ce920a84b8420N.exe
"C:\Users\Admin\AppData\Local\Temp\c606ec631662cae5ac8ce920a84b8420N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.tmp

Filesize
79KB

MD5
d100b29a58af20263cc6b272d664e625

SHA1
c1259d3f0568e63a5aaac481970021a0f20abdee

SHA256
04be5a9afce77c65565a06c6a2b0061ea37724c340b2788b043f809c1924d0bd

SHA512
4f5384af4081faf308e24ccaaf0524b45bddfd760d6b53e9410579f712de53b0328901f66ce1d5c9ea1fba70570ca5c89eec8fc28f2ed30a5350ea401c5b0ac6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
88KB

MD5
f5d28f7993360b228f5af9be591da6fb

SHA1
a6d82555107593c89efc723fc45e46d6a837ec88

SHA256
5a2188801d0ff3dc472f7edb17baa6222265784d0c2ce67b7f9d1ee57dc0fbd7

SHA512
244952379ff5d407ef67a61f7360bf7f1e41eef122cab3d708f2135a24892f6dca0d3ec10c7c786bf65b6d912be0d97b30f4f0d7984a1f53c0490b503889f68d

Download Submit
memory/2724-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2724-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download