96174f7fc5959a824965a8cb8c11b3f6577bcaef8501a9df5f20e031259a6ad8

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f6463ce49cbfcd2270a6fb7ca72af80N.exe
Size

50KB
MD5

1f6463ce49cbfcd2270a6fb7ca72af80
SHA1

03aaeb0a5d85c56d02813572a4018376e7e44257
SHA256

96174f7fc5959a824965a8cb8c11b3f6577bcaef8501a9df5f20e031259a6ad8
SHA512

7cb402dd4f4cd975c68a73660cc6756d5cadc346c31f663af603d8b1a671ed8213fa4170224b8fdbfde06b76161c623ce987cbb563d9e8578b357c6d7245a4fd
SSDEEP

384:GBt7Br5xjL7lAgA71Fbhvt3h+fZmrs71I8fZmrs71IUoV0K0G06:W7Blp9pARFbhCRYstRYsyV0Hj6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (2854) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\shvlzm.exe.mui.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\DVD Maker\Eurosti.TTF.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.ServiceModel.Resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\DVD Maker\Shared\Common.fxh.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\bin\jdwp.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\bin\eula.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\bin\jawt.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\bin\sunmscapi.dll.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe
File created	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png.tmp	1f6463ce49cbfcd2270a6fb7ca72af80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f6463ce49cbfcd2270a6fb7ca72af80N.exe

C:\Users\Admin\AppData\Local\Temp\1f6463ce49cbfcd2270a6fb7ca72af80N.exe
"C:\Users\Admin\AppData\Local\Temp\1f6463ce49cbfcd2270a6fb7ca72af80N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini.tmp

Filesize
50KB

MD5
75a6f872d3f16ccc704e35269bd3562c

SHA1
12aead18618b5858e159452f31e1ffed33b57e12

SHA256
ab2c967744ed433abf125a15a46d2ddce199f0585b22b6a573d0a6e3a0109181

SHA512
98988de5da0152c806fb9ca09bcc00abc22ba37606e4ff6d5f8868a3cf6c4ee1a78b6703ab703f3868bb7453fe3b4eef7e161fe77fd96d2a4814cef7fa3e6f68

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
59KB

MD5
bee5e6674bee0acf16a41301576dcda9

SHA1
09750a5eeb906c48da961a26ba736461519b425f

SHA256
ef45c9aa8e871865bc8e3af16f962cac0b8d3a1991858fcf58799704a55c0b55

SHA512
d83630a06174bb52fb522d9c6efb9365b39a6075a64170ff1c7e7d4944674376947c2950c8f6ee244254ac8f0bb7706b2606e1d822a03038c1297ab102ee274f

Download Submit