ec508d93e5071a56d9e740f47e26b332f083eb88912ab55316d1bb525243199c

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1cf65e34cc6b76a20f6b4149da7c000N.exe
Size

41KB
MD5

b1cf65e34cc6b76a20f6b4149da7c000
SHA1

60c8b415ed88849e0b41974c27ce0ed303ad1155
SHA256

ec508d93e5071a56d9e740f47e26b332f083eb88912ab55316d1bb525243199c
SHA512

786cf7ad536624745c848be2d897c8bcf817951ec6924e26712c6f0a44494e32fe531ca2ef451bdcf7519f93a331bf38d52231202ff44e01203290e96743a37f
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/FzzwzgTAUAUvWAgvWAN:/7BlpQpARFbhNIgTu7us

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3350) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\bin\jfr.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jre7\lib\security\blacklist.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Araguaina.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Cocos.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp	b1cf65e34cc6b76a20f6b4149da7c000N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1cf65e34cc6b76a20f6b4149da7c000N.exe

C:\Users\Admin\AppData\Local\Temp\b1cf65e34cc6b76a20f6b4149da7c000N.exe
"C:\Users\Admin\AppData\Local\Temp\b1cf65e34cc6b76a20f6b4149da7c000N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp

Filesize
41KB

MD5
d63c39f9fec1ce79cec7ef47aa6bb559

SHA1
9bbf6727a8da295c89558588e359d4accbf0c3b6

SHA256
219e3026b3f26157a25f4dd62c0deaf3133398a3f27015821af51ee33b41da8c

SHA512
92025a47b02f8b10a365cef804efa76578bc10bd2e9629300610c1b61bbc56e00eab1092ec603c2c956884410a831fb09dc26f056cd20a23ff52e0f8754ad88f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
50KB

MD5
ea174a18ffb14d85d34b287be571b57f

SHA1
38bfd3c230f1dc816020ea1861fd26b90482b53f

SHA256
0486135e653ede372d72cf96b0aa9f5d928816c1545f8e4de5a09809eaf44ab6

SHA512
f581aae65f9115049e106e0920fd802d80398562a4acd23cf9dfa2c4c9d5f6c001582651ca05fae6f06eb5a2fc945340e9b29981b3be856e30e1f3b91a55cb1b

Download Submit
memory/2312-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2312-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download