8bcc4e6950a8363379fb4af671274d0402dd33e99ead821385c3387db2ba4714

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11745260c89c71ab30a7bfdcc9fa3c20N.exe
Size

53KB
MD5

11745260c89c71ab30a7bfdcc9fa3c20
SHA1

d311dd098071be8dfccf43916e97724df78e4a5a
SHA256

8bcc4e6950a8363379fb4af671274d0402dd33e99ead821385c3387db2ba4714
SHA512

98b1390efced3a2ad0fe414a3168864c3fcc29ae4813aabc58efb3ecfd46bf21ae420648db917b688ccbd11cafd1b939831cf28b1c6f0ceea84893bb5c6df1d7
SSDEEP

768:/7BlpQpARFbhn54fmiy+3BVr54fmiy+3BV6na33EskmKsM33EskmKsN:/7ZQpApmi6nvfmK6fmK6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\ir.idl.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\BlockAdd.xlt.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Jamaica.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\La_Paz.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Metlakatla.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jre7\lib\ext\localedata.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Monterrey.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.tmp	11745260c89c71ab30a7bfdcc9fa3c20N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11745260c89c71ab30a7bfdcc9fa3c20N.exe

C:\Users\Admin\AppData\Local\Temp\11745260c89c71ab30a7bfdcc9fa3c20N.exe
"C:\Users\Admin\AppData\Local\Temp\11745260c89c71ab30a7bfdcc9fa3c20N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
53KB

MD5
ab32d5e88f29a59047a5d6d52a67f268

SHA1
f61f659d9ccdbc75c5226649385fc5b0ba61818b

SHA256
043e9b952b4543d6769eee797eb471737d926b572b97ed6012b72f9e35bd5237

SHA512
0dce140b1871db21ea353e11542f131d4baaedc4d4755e391c77acd012647f7b2097c439e61e37b76af614f3b73945936354570b5e093e95cab53fb61712c945

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
62KB

MD5
e6a042eedee880f57d3c92de1f73d5bd

SHA1
72b71f1986baef79088ae388f11904661287089d

SHA256
e064f1ebb0e9d44004cf3bf7da616efa1b1d6c8b6ec07d53e1b54ff19a0f884a

SHA512
6bfb923f4a4840a7e79956b7abfb0cc34833c08d4e990b6cb90ca5e18382b69272af49ecc77c609b8e6420652646e82c1e8fe52d72d167af4d04ba0ddbdfea0e

Download Submit
memory/2432-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2432-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download