0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
Size

40KB
MD5

ac6ac8773bdd9989af87ee6299deba8a
SHA1

cdb175ae740c7c0bd9d52d0839bc4346a5405e13
SHA256

0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd
SHA512

9659088494fc815265b91632bd3c0fe16c9b7c77973928b5323b559affa0f9573369375a82a6ceba3cdfe4e2348a5b4209bd1c20ba447c56e708196b19ffa186
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LObC8p8USd:W7ZhA7pApM21LOA1LOJSd

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4115) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\THMBNAIL.PNG.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Internet Explorer\F12Tools.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Abidjan.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgRes.dll.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tahiti.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Windows Journal\ja-JP\jnwmon.dll.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.ELM.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libswscale_plugin.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\ClearProtect.xml.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\BOLDSTRI.INF.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\VBAJET32.DLL.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jre7\bin\server\jvm.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\InitializeWatch.001.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\settings.css.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api.tmp	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe

C:\Users\Admin\AppData\Local\Temp\0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe
"C:\Users\Admin\AppData\Local\Temp\0dc32e4bc21889b31524f1d7435e56c50f8810311c63b409e92c2d0cf50497bd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
40KB

MD5
faa4913ac2128471d44ceada488ffa5b

SHA1
09252da352073f5708086147cce8f9140bee0d8c

SHA256
9b028c19a83e8838e214e48383d93a8881478bb64981a6e06fb79c0906628c0a

SHA512
7da2c028a1fdf3c5d0d4eecea28eb16c857b2d6426a12c233b92c25e594429ee096892004d6f2c5053688fac6b5a09b56b60c4e6da93f41ea4899b3e06637de3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
49KB

MD5
2dd3cc2a6183ed4d40aa4c1daa22ea97

SHA1
63e0dbb1127e557b51d977d5c618b379a3c096d8

SHA256
8ac60fa8dadbb86825b2907eceda1286f816d38d6ec2f3dcfaa6e602a612cefe

SHA512
5d31d1f7422b8eb3d14fbbeff2753773e7a38d61983d5d248d7d8a270dc547d22448d4b1a2728e074a17a5017798f484bb99ccfda2505452837ad9dcbe4d511b

Download Submit