ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
Size

39KB
MD5

889e67d871f9e500d728a627bf056ab6
SHA1

021d087c06dcb0f6f84fe88e03bd87869be8c698
SHA256

ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed
SHA512

d76b89a14a9245b8d88a51403c4ff35fcd1d0ba56e60d201dcc4fda5e788b242f1c17604fd1701cb6025820a7087b25c394b8702ccef4290f6cc6f326b482db1
SSDEEP

384:yBs7Br5xjL8AgA71Fbhv/Fzzwzscuc9lUFTlUFt:/7BlpQpARFbhNI6FuFt

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4015) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\LICENSE.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Windows Journal\it-IT\Journal.exe.mui.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jre7\lib\jfr\default.jfc.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Windows Journal\Templates\To_Do_List.jtp.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Catamarca.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\PurblePlace.exe.mui.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Lisbon.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jre7\bin\ktab.exe.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT632.CNV.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Windows Media Player\en-US\WMPDMC.exe.mui.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.CMP.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace2.dll.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.INF.tmp	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe

C:\Users\Admin\AppData\Local\Temp\ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe
"C:\Users\Admin\AppData\Local\Temp\ebcd3cb583c3b20ccffa7f78187cae6fb34efae6f06b02457271b93d713e95ed.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
39KB

MD5
e71dc7a8e6ff1d687fa060668041b3ee

SHA1
1203410b8329e93bcd183914c7dbf9a19ddfa577

SHA256
fde0df0f00604e70d19492ea9677793be2d09f519cd700b0e0e3452e5028b44a

SHA512
24b5818b34eb5ac7b86a1d908dfcc948e26fb6c13b3ccffc9caddca53d8ea8a8cd2b8c67d21a7895355c7223e54e0e345442961925c4f84c01b6370cce11a1dd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
48KB

MD5
d7d765c28866b3326d353c955d59a6e1

SHA1
7bfc968baaa965f22f5c70f51c29367d1f65bb15

SHA256
5ddf756bf14aa2d077318222bac21f655dc0c285df8c7ec8ecc32c38ff50ebae

SHA512
683eeaa45da7aaf2822f8b1d6004e419fb1e2b79ea388c4f3f15bed6def614dc31e306c6fe081deb9042b00aa917091a3f99295a8d39439eaf3863514671ef79

Download Submit
memory/2764-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2764-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download