9ed5abce52903d0fddd0026a956b66c1e29d437d02051776142316e47bf936ce

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13833e2919c36bee370ce912ea646790N.exe
Size

45KB
MD5

13833e2919c36bee370ce912ea646790
SHA1

e332994ee2cea4189327dd5e39d24acd55a561ef
SHA256

9ed5abce52903d0fddd0026a956b66c1e29d437d02051776142316e47bf936ce
SHA512

8d04191e082e4334f6ef1338e0fe7007e8f048d9da23ed133f64e3c04e071b13d31ad8c9a12b08fcf57bb77eeac63e2af31f06d64f54465065f1f7b46db85e23
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3Gb9CGDb9CGBjUDXV8gcjUDXV8gH:W7Blp9pARFbhOCQCPjZ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3789) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\penchs.dll.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse_1.1.200.v20140414-0825.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Journal\it-IT\jnwdui.dll.mui.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\gadget.xml.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Windows Media Player\fr-FR\wmpnssui.dll.mui.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico.tmp	13833e2919c36bee370ce912ea646790N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	13833e2919c36bee370ce912ea646790N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13833e2919c36bee370ce912ea646790N.exe

C:\Users\Admin\AppData\Local\Temp\13833e2919c36bee370ce912ea646790N.exe
"C:\Users\Admin\AppData\Local\Temp\13833e2919c36bee370ce912ea646790N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
45KB

MD5
b219b5d008b9106e0e96ad036c05d189

SHA1
1a23955309c58a1c23818aff38f68b6632beb409

SHA256
1cfe360865b34f81b3aba6a8196414ebe4b1e2751a285e745d6c9d303d241f13

SHA512
43334639ba45818f05c7c7dea3aa89bbf89f1027ca34271ee0929d838da6d1e133846d3b61998e799176842e1f9fcda9d2fa66d6ec881df3cfa7de1adc6963a1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
54KB

MD5
c867add4827b2c700e5e51ccddc7ae00

SHA1
a0edbfdd7754363de2cb8d948a5a4ded6b43c6bc

SHA256
44106c5eecfaeb36aadec48089145f261055f540a52d2d450357b95f7f7c82a3

SHA512
54a7d3d43f74381d6bdf089b551b4bcd8ee5d6f778a5d67c50e7536d8b3a7291423822545961254124b6388136cfed3c77a3760cdac4572e73e59dd0750d5e01

Download Submit