b0ccea3ce2f1bc7d79bada89d3585c9c74d03664ad5b1a58dec1399a3059f331

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 19:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a1213132ddf537e89dfd42f9647e600N.exe
Size

34KB
MD5

3a1213132ddf537e89dfd42f9647e600
SHA1

d1c545ab6a5c02ecb21ceddcfd731ea70a43bba8
SHA256

b0ccea3ce2f1bc7d79bada89d3585c9c74d03664ad5b1a58dec1399a3059f331
SHA512

4808be8ff3378982b89a692034c4e1e321585634093acf843bd9ce880e9dd4635b8726aad2cc1ff2103d17153eefeba555cf57e02370dd01170e588624915da7
SSDEEP

192:pACU3DIY0Br5xjL/EAgAQmP1oynLb22vB7m/FJHo7m/FJHZaza81:yBs7Br5xjL8AgA71FbhvDGO

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3284) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\bin\jdwp.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\bin\awt.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Oral.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Regina.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\lib\management\jmxremote.password.template.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.tmp	3a1213132ddf537e89dfd42f9647e600N.exe
File created	C:\Program Files\Java\jre7\bin\java_crw_demo.dll.tmp	3a1213132ddf537e89dfd42f9647e600N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a1213132ddf537e89dfd42f9647e600N.exe

C:\Users\Admin\AppData\Local\Temp\3a1213132ddf537e89dfd42f9647e600N.exe
"C:\Users\Admin\AppData\Local\Temp\3a1213132ddf537e89dfd42f9647e600N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
34KB

MD5
1f69d3f320ab6a5a337c7e273813d940

SHA1
d218f6b91f569a05f88a2e9b062cf8dee82d1ff0

SHA256
8797056d819108b670585b7806d8257088f6b2a925ab6b4886c7cb0e4e9d073f

SHA512
a444bce0fa702d21487dd52351dd864369f72434c6ccaa4ffd100c8ac4dd88020e970a00211a80ccf02aa896fa728b3b10582189f27318ea3814c84b1b9d9661

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
43KB

MD5
23936d1ad78374255704f767ee97d69b

SHA1
de771b33969697d4e62c24124dd0e5cb702c4c33

SHA256
2db187eed2351533caf07b1df889e2561491ecfc49b1f51a84a24061b2a905d1

SHA512
1d6d9e3766c5726fe6c6b189ce4ff4f0ddca9754f8b85127b8efe93a84e8f85517194496666e89241ac82985f094ed326df38ae4c815db1ebe9c9d8bdfa50e0b

Download Submit
memory/1964-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1964-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download