c72a194dc695bb17469409f1fd85c108609839f4920daf810fce3fc1a7c6fd64

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64c8008cd63fdf3e96348ba26151e3d0N.exe
Size

193KB
MD5

64c8008cd63fdf3e96348ba26151e3d0
SHA1

71f2e92d931a63d45db3100b98cbd6e07d3f02c1
SHA256

c72a194dc695bb17469409f1fd85c108609839f4920daf810fce3fc1a7c6fd64
SHA512

99b7821075745c589075620907161e9fdf010cc9816d0183cef6ce6899c7e8dccdfcd5f3cb92931fee3c9c54cee1d3e768c080bdd63ea8edaaf653f60d25bbee
SSDEEP

3072:6e7WpMNca3rytOkWpXfnYRl2l/9HSFHzJ0lBJTzkS:RqKB+tOkWKR0iJ0lTzkS

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2757) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Microsoft Games\More Games\MoreGames.dll.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Bogota.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Regina.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Denver.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\bin\jp2native.dll.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\bin\libxslt.dll.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Common Files\System\DirectDB.dll.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\lib\sound.properties.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Belize.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.tmp	64c8008cd63fdf3e96348ba26151e3d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64c8008cd63fdf3e96348ba26151e3d0N.exe

C:\Users\Admin\AppData\Local\Temp\64c8008cd63fdf3e96348ba26151e3d0N.exe
"C:\Users\Admin\AppData\Local\Temp\64c8008cd63fdf3e96348ba26151e3d0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

Filesize
193KB

MD5
3f4faa4cc6e48ea1d191fe9e0794ad8f

SHA1
135ac3c861d1506569b0816cdf4510a4e0c8258f

SHA256
957bbd69f83fb35cc65f26a44baff63a6ef00c48f58025df249c4377910d070b

SHA512
e90768040834435e80a0e3b41b5d1d26c442a07f4c19e4634d8d3fb228b44e990180dd8ebc6d827cce9240b36db7b9f03db3df31c42862499d48b484084c619a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
202KB

MD5
b40898cc89269203e95c4a12ac1af808

SHA1
b653edfacb777da24ea79732d0a4473dbce56cf9

SHA256
00d49de4c2e3788e1fce75e8e503c13e97816a5e8a25179b72c8760d4459d61b

SHA512
32d3d38facaa83de664a4c4a9cc599e7d8f1664a394ce1eea8ac4948569bf16a5ccaf63a011babfc13713e0bc293c762606e9d5d45a21eee5f0c17433eed7cb4

Download Submit