a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
Size

90KB
MD5

89b5186442eda1f087db738f3f52afa0
SHA1

6fb1de34a72e454fe86fa4c8c6f6e9dbb2fa3e31
SHA256

a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9
SHA512

99d37bd7a90324cb1f8e4687fe094f4ff1e84fdcf72d3eaabe4c61ae1a2abe0969e665e03436746332f0bbcad2b0542a0d12fdc7394f865791ebf5a64c8e125a
SSDEEP

1536:W7ZhA7pApH9QHwtRF9qaRjvmujvmRzqzlmJgwmJg/SL:6e7WpHIyRF9041q6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3467) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\Chkr.dll.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\gadget.xml.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Amman.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Journal\MSPVWCTL.DLL.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Mozilla Firefox\lgpllibs.dll.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Mail\MSOERES.dll.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\TableTextService.dll.mui.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\ImagingDevices.exe.mui.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Java\jre7\lib\jfr.jar.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe

C:\Users\Admin\AppData\Local\Temp\a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe
"C:\Users\Admin\AppData\Local\Temp\a71ae9e067e55e380bcf93954b8ef42d06ffc411cde649530bb74dd67e8317b9.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.tmp

Filesize
90KB

MD5
9378d221b40a0cc3b9ba9ccaeec8e53f

SHA1
7f12f253f2d8ad63c64c2d39599ea400ad0f00b1

SHA256
2184a67396a0f6fb762f168aa37a9265ee3f7f423f8dc746ee3db805a404b61f

SHA512
65d12b10071757fc7ff23b94f0525f852710a6e5fb6f8b82d67b5ccc4ef6eb24647108a438c3e5dcdbe15b046db6c0854c5e8f545b1482f7b55a163c002f0c07

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
99KB

MD5
7f699a2ccc3c23baefd0b90461d4cde3

SHA1
66b45008f3eb0874bc244a5a8dda96dfde4c407a

SHA256
2b627eb5cad6d999f52e581de509e8f8dea7bf0e2cddcf7b356b2b6e0d814ad0

SHA512
f9a66be7a014849dcf851ad8665f2c6de569accaa53b7b6e99f13898ff94ae11eaeb36b52e96d38860d6bcc037fa20e3d1073b0c93d3041f96a35e863c7553a9

Download Submit