e1e9e7c4008e42d3cfc05420819f96f978f40735dcfcb4a2b0dcbaf6dccbd97c

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85bb093d5caa0551a96a2ab593bae960N.exe
Size

201KB
MD5

85bb093d5caa0551a96a2ab593bae960
SHA1

9b2ede624d82eb71e7f0c6420f560a0353955453
SHA256

e1e9e7c4008e42d3cfc05420819f96f978f40735dcfcb4a2b0dcbaf6dccbd97c
SHA512

e958c3afefaffe7b6be4c04da44b799e398ffa228f3c45ea86a63ecdf095b76953c0535a6cd0cecaa76a4814f0ca3060b40c0b7ca31ca6778cb08899f1cfdb0d
SSDEEP

3072:6e7WpMNca3rytOkWpXfnYRl2l/9HSFHzJ0lBJTzkT:RqKB+tOkWKR0iJ0lTzkT

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2687) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Volgograd.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Magadan.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\DVD Maker\SecretST.TTF.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Miquelon.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Internet Explorer\F12Tools.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\lib\security\blacklist.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Internet Explorer\perfcore.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\bin\jli.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Internet Explorer\Timeline_is.dll.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Rio_Branco.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Santiago.tmp	85bb093d5caa0551a96a2ab593bae960N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	85bb093d5caa0551a96a2ab593bae960N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85bb093d5caa0551a96a2ab593bae960N.exe

C:\Users\Admin\AppData\Local\Temp\85bb093d5caa0551a96a2ab593bae960N.exe
"C:\Users\Admin\AppData\Local\Temp\85bb093d5caa0551a96a2ab593bae960N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
201KB

MD5
8c7cfa668b06e9f2947dcbd7e386675c

SHA1
7b8a2985450ce6dda689dc01c39ead8d15dc23e6

SHA256
f36f2a4f311a0e1664813dfc79f79ff21f343138dc29ef408f704f133c3923cb

SHA512
8d80a736669c3701c0a415a60b15c33b7e78eb54e09762a76fdff252ae7190d0e1bf53b22fb96b74bd2e58ef850f1b3dbef546a6f859f5bb1f3589c4498a7c95

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
210KB

MD5
80efc0a6d3c38235b146296b396ece1d

SHA1
e976367784616dd641a07e08650b04f9adcde3a7

SHA256
d41da3fc2869c2c8d2863b0dda2899e8e5e9a0922a95ba1831b4a9a4c7ffa91f

SHA512
882c1a5f7ae4b848f84f07265efd59c9ecf319c3ee54695b6920762732443c373372ce09572b47087440e9285dae8efa3042686e2cd7d3ce7853a757c6de7f1f

Download Submit