4e2ba6c86c930b377d8d5093dd43de0c5d6ffa54e1a83e31861a864b1a72a798

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48a2c50a88ee6bff17e1663148953d80N.exe
Size

50KB
MD5

48a2c50a88ee6bff17e1663148953d80
SHA1

6b7e7ed2aafd14a1de9ea50f93aaff7312025408
SHA256

4e2ba6c86c930b377d8d5093dd43de0c5d6ffa54e1a83e31861a864b1a72a798
SHA512

32bf8c2b2961d58295bdfb929717f144f44081ecdc561ec7d5979b1f6397cd61673107e976f531ea34e3f335dfc2e50321d02c99e4a9f6a8695f2b491e9fefb5
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFXpK5c5khwRDThwRDwfZfarc:W7ZppApBULcfpHLcfpyDA6swXwXrc

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3250) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\bin\deploy.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.DataSetExtensions.Resources.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\bin\glass.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\New_Salem.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Brunei.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\VideoLAN\VLC\New_Skins.url.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Dili.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\lib\tzmappings.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Iqaluit.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo.tmp	48a2c50a88ee6bff17e1663148953d80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml.tmp	48a2c50a88ee6bff17e1663148953d80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48a2c50a88ee6bff17e1663148953d80N.exe

C:\Users\Admin\AppData\Local\Temp\48a2c50a88ee6bff17e1663148953d80N.exe
"C:\Users\Admin\AppData\Local\Temp\48a2c50a88ee6bff17e1663148953d80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
51KB

MD5
7811edf0fe50e34d0015ec424560b41b

SHA1
c3c2a5ec99913d3901e2888f1ec508dd63b40c73

SHA256
cfc349f4873c6d80e688db05e35d03dfe4dd90805254d6a03af4d34caf5c3b0d

SHA512
f00a48f243e0a060d581eaf60d1a08c679cd5055ce94a802c8c6fe3629e5b0fee882a7caba3809327bd6d36f2ce11a5f21d0c7ad12588ee3d6cd44b3435937f2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
60KB

MD5
e82fac1a2f3438fcdd321ee3a08f1ce1

SHA1
f813410464b998ae8d14bc8283510ff2b74509c7

SHA256
2be89dbadba47e8f3ab25e059a5e1f918e2f39f4a4f420bfc3fc67db1c352634

SHA512
b59ad7a84e421293d1daa38eeff1d9ff1e8615fa1287ba46d3a47e3fcea5285194dfdacb79c88c676e6e0b57062a15166808c4bee35689f6c5b9c84b3b7c8d9f

Download Submit