a4aef0f7840b04883ba4569477dbb1b3147207d18a5ef616f71770c833d7872f

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f52247872d0f7fba63ba384de35cbb80N.exe
Size

39KB
MD5

f52247872d0f7fba63ba384de35cbb80
SHA1

c6914ec86a402a0b3ad11891e55fd15c736e10e4
SHA256

a4aef0f7840b04883ba4569477dbb1b3147207d18a5ef616f71770c833d7872f
SHA512

58cd5e85c7d4626d0c1da223cd63e0d6b52e305b842b29d300dc83ce640b27e568730a4422b0b10a9686b05605ae54adeb6e74e412f033468f3b0cf6d1ed0510
SSDEEP

768:W7BlphA7pARFbhM0Kkq81LOyq81LOl6Sl5ltrnAkDanAkDQ:W7ZhA7pApM21LOA1LOl6ArnAQanAQQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Edmonton.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\PurblePlace.exe.mui.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Mozilla Firefox\firefox.cfg.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\index.html.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Prague.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\StartCompare.MOD.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jre7\bin\jsoundds.dll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages.properties.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\SelectSync.xlsm.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.tmp	f52247872d0f7fba63ba384de35cbb80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.tmp	f52247872d0f7fba63ba384de35cbb80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f52247872d0f7fba63ba384de35cbb80N.exe

C:\Users\Admin\AppData\Local\Temp\f52247872d0f7fba63ba384de35cbb80N.exe
"C:\Users\Admin\AppData\Local\Temp\f52247872d0f7fba63ba384de35cbb80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
40KB

MD5
0feb09f0b47b76d6e5d5daa915e30f77

SHA1
9922f758ba36666d9d22164ea5fbf493e935883d

SHA256
3e47ac911065fb81e470389e6aa485ac89ee6d6051ca27f14f3700054e3923f8

SHA512
0feaa39eb63e1bdcee45fb9f7798653b80b8f86a30fd1b8d84e3fd547f5f4b335a9858e60cdb2d61f1c5bf9ed135ac11b3ac57e3a64f4c3ddba5da9bfdadfd17

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
48KB

MD5
d2f7a4a967b9e23707189215817fa95a

SHA1
b36e946e67700fcd137f51080880fc5a2bac57b0

SHA256
5c243117567a8ff2104f54672e956ee2c6480541372890f467cd644537869492

SHA512
de926bc5643717b4285625c0365840f12ccfa0d37c8f80de21bdd7ec6fed133f172a1e1d8a14a5111dbc8d08b8d55d1100be7f3effce2e3cd67a711001b9167a

Download Submit