254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
Size

62KB
MD5

53d5b754a3cf1743b1383aecedb6b300
SHA1

84ed04b42b1a4a29cbd6d38578fc4d945af9c8c3
SHA256

254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334
SHA512

218b33c424c8aa31df8d3bdb077d3ce823655be848b0970ebfebfeb6b7e2719d8d4ec53f0043197605aa37dbf6d3bdea8ddf52238088e79a18fbd414fd2b7116
SSDEEP

1536:W7ZppApBULcfpHLcfpyDMJNnyGJNnyIypCypq:6pWpBwchcwDNZq

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3443) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Mail\oeimport.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Journal\en-US\Journal.exe.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Journal\jnwdui.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jre7\bin\javaw.exe.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Media Player\en-US\wmpnscfg.exe.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Media Player\ja-JP\WMPDMC.exe.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\libglspectrum_plugin.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\librist_plugin.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Journal\it-IT\PDIALOG.exe.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Mail\en-US\WinMail.exe.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Seoul.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Eucla.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jre7\lib\management\snmp.acl.template.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Speech.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Microsoft Games\Chess\ChessMCE.png.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.tmp	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe

C:\Users\Admin\AppData\Local\Temp\254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe
"C:\Users\Admin\AppData\Local\Temp\254b2a2fe938ae134a4761043f1b13c58ff943cc14a1b02cdd6564dde5b8e334.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini.tmp

Filesize
63KB

MD5
bbb56aa6c783228329f839846140020a

SHA1
3ea492859d81010f102ee51ea42f10da65c4fa6d

SHA256
ea27b0c3634206f431c8be596f014d0363232edf911e794463d2ad8ab40fc4cf

SHA512
b0056b3ca30fa898067d324dcf3bf5e89c759c02ab58ec49d504d641355a5ce3cf749fef883c1241fe7ed6151bbda6887c8aad4b0e0eb315c94532d2187cc834

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
71KB

MD5
2cb32edf56bf118322e9d9a8afaa480c

SHA1
05868ab95316eeb929dc6839320c8e871f0d360e

SHA256
1437e526e9cea421fdfcffa4e69591eaf7a50ed0986bf8ffbd9f2f59a37bba0a

SHA512
d8d506d38022001a9236c7d1448f5040bc5b605bf3c1b9b39c6ce8326befef1685f1de928a08da237729f2d1c7567cee0b85b304c57f5d21d0de02c78965825c

Download Submit