13e34fb0bbfd9fa659c36bfa45180a3d13f076c0f75f78b8241253220b45969e

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

110cba95828c278e3019d18186839270N.exe
Size

87KB
MD5

110cba95828c278e3019d18186839270
SHA1

46559b54d49a235b9e9a6210f8909a935ff56629
SHA256

13e34fb0bbfd9fa659c36bfa45180a3d13f076c0f75f78b8241253220b45969e
SHA512

551d3760585d07fbb0265716a2a4005719023caafdd515fa3adc123217cb2aea843b2e0ee54399fac74512bb6fa73c170c8e894417a082f2311fa69a5da23414
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhP:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsu

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (396) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DenyRegister.reg.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Internet Explorer\Timeline_is.dll.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Internet Explorer\Timeline.dll.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\ConfirmJoin.mpeg3.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png.tmp	110cba95828c278e3019d18186839270N.exe
File created	C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp	110cba95828c278e3019d18186839270N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	110cba95828c278e3019d18186839270N.exe

C:\Users\Admin\AppData\Local\Temp\110cba95828c278e3019d18186839270N.exe
"C:\Users\Admin\AppData\Local\Temp\110cba95828c278e3019d18186839270N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.tmp

Filesize
87KB

MD5
f3a3ab36fc4c45ac3d89c000843a5616

SHA1
d58da1a39fee7f6d0b1bf4059edf65df1f4645e6

SHA256
aa747f9b41f3a1f6e5db3b690bd442c7e09b3f226a54a1f7509e43522f4c8996

SHA512
0e89ca79bc12ca99d508e09e09adb7595c22668ba652f85eb96529f385d5deade7b7ca7722629868711a994bede799e87551c687f24a1f68161a3646a50308ca

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
96KB

MD5
6265a879293effeaf5375592b81d21d1

SHA1
0cb69553cd4850deb99fbfe758b75d37dc71adb6

SHA256
460eb974f299171672d7b263f15602dd0970a5badc36527b14479e17118f5569

SHA512
ee2d2b3037ac936ffbc55e0a20e12ad91ed48f032648ca46c931f6bd6b3b3e5271e005246c8cec061681f8878eafb61c566cd338adc3e0562106c15586d84c74

Download Submit