1edbea7f119a17969d5b3991e91d32e7b3cf5e51b37adc906af6f8d17964f04a

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e28f889e8adeedf4cfd480445c50e0N.exe
Size

50KB
MD5

56e28f889e8adeedf4cfd480445c50e0
SHA1

797ea0208c943410f63a811950d597a9f8c50ff9
SHA256

1edbea7f119a17969d5b3991e91d32e7b3cf5e51b37adc906af6f8d17964f04a
SHA512

d1f46ca998afd052e7ea5ad1a3730d4ef30ec0ee299770c128e40d77c7fe44d7e6fb30f327e0d1ce50e10862a9b61e10eda3db9d0175ab8e007031f42511f1d1
SSDEEP

1536:W7ZppApaJofJo8qqF5OKRgENwzqqF5OKRgENwsKB:6pWpOqF5OYgENwWqF5OYgENwV

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3256) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\freebl3.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Fortaleza.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Iqaluit.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\lib\ext\zipfs.jar.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayenne.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Lima.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\bin\sunmscapi.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\Mahjong.exe.mui.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	56e28f889e8adeedf4cfd480445c50e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56e28f889e8adeedf4cfd480445c50e0N.exe

C:\Users\Admin\AppData\Local\Temp\56e28f889e8adeedf4cfd480445c50e0N.exe
"C:\Users\Admin\AppData\Local\Temp\56e28f889e8adeedf4cfd480445c50e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
51KB

MD5
4b99c4f579ce3774c2de7f59a9aaf086

SHA1
883df9c592ed9899eb1a13db05c3bc2d0ee47859

SHA256
54992b2c6f7a1b0cfbc3de61018a986afca74b542f82f1ceed9eb6c985679acf

SHA512
860ba65833acde181fc4b349b77d5e8bf17504daf84dd2c7b4eba025fc3162d9a0b5234dd62f39de91d9b09642196497ce51d6695c449f3dd5a2c9245a1fc282

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
60KB

MD5
8cd251f2dd46d8b992e7cd0163a07311

SHA1
c30bf73c506c3a1dc8d63918d25270c4d3a1277f

SHA256
a248365063140a78324384f2ecbaa88cda97987cb7ea0b060d8c6c01d099a3e3

SHA512
16012acc5256952155292ea5cab12359935015653b43a71ba778d59ead7790ab8586ed7ef55748e9a437d9730c7236927605703dd0c0b196ced3466789216bf3

Download Submit