d1bdb0b7ac397f10e81f5354a7684ec44d4eee7544770eccfaa54a9284183089

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac4f8194637c79a1c0c12b3a4f81500N.exe
Size

52KB
MD5

bac4f8194637c79a1c0c12b3a4f81500
SHA1

9b686a7f7a45c07e2c8d47407a5f415350680e8b
SHA256

d1bdb0b7ac397f10e81f5354a7684ec44d4eee7544770eccfaa54a9284183089
SHA512

4b189ed2211ebdbb2ada56d9e1ca4185d9ec1f1adac560ca93973e6fe5149bf5e5cf845d1182bb330394440a1097d255d54ddb789a1d5ba5668da73356088f64
SSDEEP

768:W7BlpppARFbhHFoqAJwBqAJw1VyjVyfxAkJhxAkJ/1P2vcAivcAFNwgZ8NwgZo:W7ZppApyVyjVy21u1FNwHNwH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3395) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_asf_plugin.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\vlc.mo.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liblibmpeg2_plugin.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Kiev.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ChkrRes.dll.mui.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Mozilla Firefox\IA2Marshal.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\view.html.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\Chess.exe.mui.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll.tmp	bac4f8194637c79a1c0c12b3a4f81500N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac4f8194637c79a1c0c12b3a4f81500N.exe

C:\Users\Admin\AppData\Local\Temp\bac4f8194637c79a1c0c12b3a4f81500N.exe
"C:\Users\Admin\AppData\Local\Temp\bac4f8194637c79a1c0c12b3a4f81500N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
52KB

MD5
1d3f35e477832106720d46b5254c35fa

SHA1
2548db7da2aefdb0038161afa982e71449ff454a

SHA256
2fc12b449379192065262fc0817e4bc82952ecbaedb526c52269b8d67d314082

SHA512
aaf6216083710e346c42b28554e10b76ddeeb50cb457f09694e748347a29a2c18a47c716e879328a27fef923ca6a0509e1d87b85d02bfa4f975e952cb1cf0cde

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
61KB

MD5
322da3d8b773c6217cb4c51649268c28

SHA1
fe586f62d4927e7219bf03db4489475fa33d9582

SHA256
82353d1335ecd4bee36ac75be493a0648c7394036ba097f4ac7b670ab66664ba

SHA512
25cb2f11ebe46e20548bcbdc0d38db9efdbc71e7c54a4a25d85ede2681ab7cfafacdfd79237fe13f28f0a3a8988fa6071531938cfc79aabb7b2ca3281ca878cd

Download Submit