2eaa3d653c3e7ff3f045abad56088ffde45d5ea7241e33b34662e5bca6c2e004

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
Size

53KB
MD5

1ab67ef0aa79aa71ba91e12a4dcc8630
SHA1

68844f78d11fc651699d651f832d369149b1fdf8
SHA256

2eaa3d653c3e7ff3f045abad56088ffde45d5ea7241e33b34662e5bca6c2e004
SHA512

657222793c942fd9eb933b856123b4b386d442ed2eedc32cdc25229864d60d5cd18ba4b55380b131094e864817c2bcd633823b2013749818a9151c7c6705846d
SSDEEP

1536:W7Z2sspAp5YSfffdOP+UDpOP+UDunAQanAQf:62ssWpYXYX3

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3293) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jre7\bin\jp2iexp.dll.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belize.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Catamarca.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\ExpandClose.bmp.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterBold.ttf.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\ResetEnter.AAC.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Panama.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Makassar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.tmp	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ab67ef0aa79aa71ba91e12a4dcc8630N.exe

C:\Users\Admin\AppData\Local\Temp\1ab67ef0aa79aa71ba91e12a4dcc8630N.exe
"C:\Users\Admin\AppData\Local\Temp\1ab67ef0aa79aa71ba91e12a4dcc8630N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
53KB

MD5
02c45b622bbff23c2e4d2a69ec2ebe23

SHA1
c306ed4bab84f78e73bac602fe4c7bd69f172602

SHA256
369ae1bd51f8f5cb0233df9e615cb876b00dfe72615e3d0e2358762f20c7f586

SHA512
20ebb0f81f29e653695d9f0056d3ec68c1cab9fe8649e069e831852cc27e6ac0a337d0ef20008052e516c8501b788043756a330bf79bdadd38b604e7c819c7eb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
62KB

MD5
feb51b25392416b55a0d358ddb8644d0

SHA1
0239dda05c6c8eda5e90c1ea4147db43b7e2cd4f

SHA256
281b139272ef6dc1a711aaa80652959c3a9d40ed5419d8d62c906baf65dd8ff3

SHA512
1338a14d75aa2dcd3efb07b43931b7ad822bb89060c4f366721f1a8f065dfb668f683788be42c47a0423f9b041878cebd134c3fb5adbf47aa68b39d228bf2437

Download Submit