20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8

Analysis

max time kernel
129s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
Size

47KB
MD5

4aa940de38e334f3830dcec55db92f46
SHA1

57305b8da79ccd2dbc34d337bf7950b6f27f0380
SHA256

20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8
SHA512

837b22b420b477c1931b8be882f86e9e0db861d793e6e2345d553cc1a4f9d13166eda8ba73fc90c0b1e16c13ed8538905829c7867ceebd453d6cda618294142d
SSDEEP

768:/7BlpQpARFbhsYcUYcwaVl2di1xzaVl2di1xDw9:/7ZQpApsYcUYcwaVowfaVowM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (454) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Internet Explorer\F12Tools.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\System\msadc\msadcs.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe

C:\Users\Admin\AppData\Local\Temp\20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
"C:\Users\Admin\AppData\Local\Temp\20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
47KB

MD5
512fa7f09bfe70da5e889947eb88ed8b

SHA1
59a05cd02ab696e3f11e74b2e91717e284a2ab78

SHA256
8a04a8b5032f1c268cf73bbe41319a8a6a247752a1cada432ce112e0938361ff

SHA512
e15895b6a2ac99a324738880a977ae1d0aca01985f78705f9a7b3195a0ae1254a0b8e7c3dc56791d15aa9a9868ff4636276058e5a368a151f3f7e0196bb61863

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
56KB

MD5
eb05c2146ae2658dfe4a5d98f3a924ba

SHA1
cabec78927ab4583d4542aee2dfd81ad914befdb

SHA256
23a97d5d7016ce1cb814679e35dc7fcff1b8c211c3685c52951a51dfde6b1e86

SHA512
3777ba4303633d6255fe7fd8051634962974f577e79f274f1f5b27c5f964de6dbf08186789a8b253338f1ca8e6af4e7a45faff4a3f6e74365f75095c17fb59d3

Download Submit
memory/560-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/560-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download