2988a99257b0cad1aac87ffe7abc2abc2fb3887646dcbd06ed4f5d7eeab8d94c

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d121d83938b75ac4228fc99d8773a540N.exe
Size

78KB
MD5

d121d83938b75ac4228fc99d8773a540
SHA1

bc03eacd18938af1ec42765e752b6cc6a7d5fd11
SHA256

2988a99257b0cad1aac87ffe7abc2abc2fb3887646dcbd06ed4f5d7eeab8d94c
SHA512

433c5c338214ccd4c3e8359091b37bddfd36515675deacbe176e0f51d5a8ea5db21bd79bb195508bfd6552b23d4010166c388c7335bea35b998693d4cbbc65c0
SSDEEP

1536:W7ZDpApYbVK4vx4PN54PN4OHepOHeZSbM1mM1l:6DWp7Ww

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3249) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jre7\lib\sound.properties.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\vlc.mo.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_SelectionSubpicture.png.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Internet Explorer\jsdebuggeride.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Palau.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Mozilla Firefox\mozavutil.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.tmp	d121d83938b75ac4228fc99d8773a540N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.tmp	d121d83938b75ac4228fc99d8773a540N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d121d83938b75ac4228fc99d8773a540N.exe

C:\Users\Admin\AppData\Local\Temp\d121d83938b75ac4228fc99d8773a540N.exe
"C:\Users\Admin\AppData\Local\Temp\d121d83938b75ac4228fc99d8773a540N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3502430532-24693940-2469786940-1000\desktop.ini.tmp

Filesize
79KB

MD5
43d6e7cd8420153479b8f9e56e0d96d4

SHA1
337ed1a37acb1f833d439fe0f1903c59c5c37caf

SHA256
0ccfba0125d0c7ba59e18bc9814ed4c5f98dd25285a0bf868d1a2c0a1f6b1ac1

SHA512
63b9489f1d8a134fe54ed25556918847011eef4ac0991192c014163259477aeb68bae0109521429ed2a8141d2f830fc2835f6ca5e4a7f357ab690ade8de9c6c3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
87KB

MD5
f0b7f1a3f1073d8e87e2e6892dc72336

SHA1
f1e55580fd5f554c1f12a373342bebd5fdaa2b00

SHA256
1d3d7d1cd72f65a8a1b30a52592924cff0f4c404fe5bdf98212df09b805353ad

SHA512
16933b501d08f3ba1d298fe9193692b39519666a961ae4bf9a661bb89e0542fb44500e68b5e91a627cd7f20f5d98100f34d82d397f869008c1a9980f3c37f0af

Download Submit