160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
Size

195KB
MD5

5e3da90b53834144e26a335027356de4
SHA1

4ccee86ac98428534eac191ff0181c9f2f4e208d
SHA256

160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218
SHA512

e0750d71923995d7d7407917dae1291cc33fec3879f75bb344afd233b7af35ba7a826e506e171be0bd46fb8df7d8e0151e25a7765aaaee2cf46dc695b9fd2b80
SSDEEP

3072:6e7WpMNca3rytOkWpXfnYRl2l/9HSFHzJ0lBJTzkI:RqKB+tOkWKR0iJ0lTzkI

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3214) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\bin\server\Xusage.txt.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\MoreGames.dll.mui.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ShvlRes.dll.mui.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\bin\jsdt.dll.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kcms.dll.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\ResolveMove.pps.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.tmp	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe

C:\Users\Admin\AppData\Local\Temp\160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe
"C:\Users\Admin\AppData\Local\Temp\160b94e32b408b96f3791a1e46ede8c06152ee85cdd267e598c4a19765fba218.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
195KB

MD5
3661a6466f095e5b405cefc754690dd7

SHA1
0a87fcd8269abd0534e51e8f6d3ce905523748e3

SHA256
75dfa357b545864d77af1684b5fe1b03bfc176183c613105e0cc39f70b0c7363

SHA512
55a4f0aa16dc6f36020f11f152717feea358a54044e542c10e7b150d177b0ba2f3b29f573e6cbe1fbf281f21ce71330dda0a2e220edf5133244566734c31f62e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
204KB

MD5
ed9e5c9df6b167f55cb4953bd22d8c5a

SHA1
27d16e42737f4c31fc4087e404aa4a0a90ac0116

SHA256
d0d20c46f4e613b91f187166c64e7f6d86cd707bcd1a9848a5d51f83ac1fe682

SHA512
1bcfc657721acc1d17d2bdcd4262a6606a5f1a8abbd4dc15501da950be9ef4f5c39448f83daa3b0d8e686541b8050ee2f6a40c1a1e3d978197f00be3f1c6ee07

Download Submit