ead8be57c4955cde1559e1dd09aa44461256164bad8496203358bfeb5e4ff169

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb1e1d1244e6bc17ac709ee406eb310N.exe
Size

38KB
MD5

afb1e1d1244e6bc17ac709ee406eb310
SHA1

501657d64f890087a6d4a153d8df1281608fd7e2
SHA256

ead8be57c4955cde1559e1dd09aa44461256164bad8496203358bfeb5e4ff169
SHA512

385a0fc7bda5f10be9e93bd3582cbaa6057427aa28db947714655ce3f03426dd653d527b27d0adf68c6daf1b48ca508c3e1a9c6cf4d24ff82e18f0fbfc40165d
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNF9:W7ZppApBULcfpHLcfpyD9

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3455) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\DVD Maker\WMM2CLIP.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Chita.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\lib\zi\CET.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Java\jre7\lib\zi\HST.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac.tmp	afb1e1d1244e6bc17ac709ee406eb310N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afb1e1d1244e6bc17ac709ee406eb310N.exe

C:\Users\Admin\AppData\Local\Temp\afb1e1d1244e6bc17ac709ee406eb310N.exe
"C:\Users\Admin\AppData\Local\Temp\afb1e1d1244e6bc17ac709ee406eb310N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

Filesize
38KB

MD5
7fc48b74cd3130d7374924dc7b38e450

SHA1
d866d570143eb52bc2bf4a7b9f6946de374883a8

SHA256
30d6be85e73cd38c8500f11ff501ef21397d7fe9b155c52efdce8fed6f9419ba

SHA512
2fedfa1e1b0bb9cd7e97ff3d0181858cf44e188da5474a092bfb3d8c3dabc68c5038c4f09d783b454b5636c062e6c5f423fa6c0a832dec23407636f472213eab

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
47KB

MD5
4e59972a975639a483fd096575c8384a

SHA1
8b2bcf82ebd6b6ef5c15c9735b1fa777608cd5af

SHA256
8dc91a349a58aa2f88c787e67a6f854340796ac75c999488fb3fd4516ea21de1

SHA512
abce3559c38727e077ec55fcaceca74a420570692a90f3ff222cf32d493fe4268b73a066c7069d13506649fd75241b97ba465e33f27daa740e2819cacf8dd9cc

Download Submit