e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 04:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
Size

89KB
MD5

64260b5e03c480490407e87345c86f41
SHA1

57df911e2718f4c9581a2597c988ecb09e8ee72c
SHA256

e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249
SHA512

dd1694eba616d622701d97acca2fb0ea924a3af28d28715753d4ce3576b6767d819a7a7b29b309f6d04068f896718c31fb345294c6cf75bedb2b8032c484407d
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhu:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsT

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3535) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Printing.resources.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Portable Devices\sqmapi.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jre7\bin\npt.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Sidebar\settings.ini.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\DVD Maker\Shared\DissolveAnother.png.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Media Player\ja-JP\wmpnetwk.exe.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Windows Media Player\en-US\WMPDMC.exe.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe

C:\Users\Admin\AppData\Local\Temp\e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe
"C:\Users\Admin\AppData\Local\Temp\e8f9dce639dd694f68c726f9b8f70619184c50fe695efd0db3259b6727b0c249.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini.tmp

Filesize
90KB

MD5
e8fcbc7477197d3f6f0db1e89abd57b3

SHA1
3a5572570d24d1d6cf82194eaa45cf1faf26ae0e

SHA256
682a7f454b32d39cbb84fbacd910ac71aa4357afa6d1a276ded51bcb62eb4971

SHA512
d082378c1f09884496a74c280e8464fd7566735d058bdfe39a854884a420a463f3ab2817e37cf5abaf3d978acb989b6be3e05b55232ca159491df64997ad67ae

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
99KB

MD5
5a086bfbc1c06df73639de47def76c0e

SHA1
dc37b114385d900ca33be26d4a322cb581b27b47

SHA256
1f175b8b51c112173dd6a06ccc6f76709a14ec72a7ee8816d7ef370ccab8de17

SHA512
21898520142f8e345d2dd4f486c61a994ace1ea17ce604443deb394ef6df3135e04d5c3b9c1b19535b1d9eb29f8d32e246c60d82e8f0cd25ef42ab624b8785ee

Download Submit