efd87d69f563f557a4669afb106fbae11043432e6725ea4834d0bb049b2cde1b

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8170d9cdef6d8b3649d6dc961974490N.exe
Size

102KB
MD5

a8170d9cdef6d8b3649d6dc961974490
SHA1

3e8e052953285fde5181b99cc17c3f9caec240f0
SHA256

efd87d69f563f557a4669afb106fbae11043432e6725ea4834d0bb049b2cde1b
SHA512

0944b921e92881ce8587e3528260afce921f42bd43e1a75dcf01402086999889700e3c1593a7a5fd721b658b3b20bd6d56cb5f1ea1ea8a80597c39c391e3f62f
SSDEEP

1536:W7ZDpApYbWjIlE77ufL2e+efZwZQ/8S/80PqPIUpCUpiPa:6DWpwE7oL2e+efZwZ08i8X

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2925) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\bin\jaas_nt.dll.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunec.jar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\chkrzm.exe.mui.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Oral.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Miquelon.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Chisinau.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jre7\lib\flavormap.properties.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.tmp	a8170d9cdef6d8b3649d6dc961974490N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8170d9cdef6d8b3649d6dc961974490N.exe

C:\Users\Admin\AppData\Local\Temp\a8170d9cdef6d8b3649d6dc961974490N.exe
"C:\Users\Admin\AppData\Local\Temp\a8170d9cdef6d8b3649d6dc961974490N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
103KB

MD5
daf75687ae8f494a8341873d8e0a93b1

SHA1
108dfb7591992210f111ab53b0cf0b3050d4f7ee

SHA256
e66e04e67d783302524d0dd0cdaaff0ba6a35d0eae8e9479ba8fc03df147cbf7

SHA512
15a6de9493462fef784069e01715adb83dc4dd64011c9e94fc624ad59089548257066ae392d92522f713895050ac8604d512832345203fe1956141a789426060

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
112KB

MD5
6079515a360e08138b850a16f55f75f5

SHA1
ebd0022696c0514c862eb215fa05111e836dddb0

SHA256
1e5fc3dd1ee5c1f6ab6d4f8d13cc566c8f39f680d914b2c3f2d8ce508545cd85

SHA512
04a93abe27939552b072522379af2275451eb0e5befc269019ad31a6bcdb7091ae33de56b548a9f5ca17d0471998b838d85366616de1e2dc7e8e337a5c4df68e

Download Submit