2fd879545e0a18af6cbf4e6c7e2d77ef607fa1a7a79361d35ec7d24e5d53fded

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b363a95362a296ed0c65e2fea3212190N.exe
Size

38KB
MD5

b363a95362a296ed0c65e2fea3212190
SHA1

f78e13a5245e989851c26dca1dd774e236f05fd1
SHA256

2fd879545e0a18af6cbf4e6c7e2d77ef607fa1a7a79361d35ec7d24e5d53fded
SHA512

f876885be94b0c0d7fb039a1501d7f92056e143b73761055ea568af1326079507b79589a3d4993132452fbff1b89c47bfc6456d0e82aec696a34d574b12a68e3
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHA9jxje6OMmy6OMmI9h:yBs7Br5xjL8AgA71Fbhv/Fzzwz3ZsTZ8

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (406) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Internet Explorer\F12Resources.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Internet Explorer\Timeline.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Internet Explorer\perf_nt.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp	b363a95362a296ed0c65e2fea3212190N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp	b363a95362a296ed0c65e2fea3212190N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b363a95362a296ed0c65e2fea3212190N.exe

C:\Users\Admin\AppData\Local\Temp\b363a95362a296ed0c65e2fea3212190N.exe
"C:\Users\Admin\AppData\Local\Temp\b363a95362a296ed0c65e2fea3212190N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
39KB

MD5
ba2871f87a5fd43738c1f294d1649874

SHA1
650a525e8a41b81c0d562103aa90cdae4bfadd3c

SHA256
8ff9d4bdc805f175e9f872282b193d5b0e06d00da9d2a58e3943fb14496b65cc

SHA512
a7827f3095fba624633e2064767cddd7bb2bbe04f6b971ebeee8abcba592b417acad1020d4890805561b4e37a3ae2f98f0ba4cd8f82158bce96db6154609baa9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
47KB

MD5
2c83011a030c211cfb59fa469a6420a5

SHA1
4507e0b3e632ed37cc6e5605af0e02328d64cad7

SHA256
0636cee2daec8763b9dc2fc1d9aea2f03ed831bf8fd548023331117d7ea270e0

SHA512
3de7fca843110a0efac282fe64735ccec310481f33c4e8641a61f247f2d8a31b3968af8cfe1dd77dbf99c611dbdffc4f6a4998e0d5f68a716d76141e007ca92f

Download Submit
memory/2488-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2488-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download