141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
Size

65KB
MD5

06ce37eb29ad1658d5696910d70f1999
SHA1

786945ebf4397c7354894d2b0da432c6a49c3494
SHA256

141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c
SHA512

b8175900be6a1646d1a30cf8d497e3eb98ef63190de9e28cf2c36c16bfc9a549d955f1a5d4fc7d1ecd3af4cfd0585083f8df3dc8399911496da43657ec6de436
SSDEEP

1536:W7ZhA7pApw03vR03vcltdtSsU8Tu8TI3HMn3HL:6e7WpwYRYUtdtSsW3HMn3HL

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3701) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\en-US\Sidebar.exe.mui.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jre7\bin\server\jvm.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Montevideo.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Mail\wabfind.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-util-enumerations.xml_hidden.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\LICENSE.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Windows Journal\es-ES\NBMapTIP.dll.mui.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\TraceUnprotect.ocx.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe

C:\Users\Admin\AppData\Local\Temp\141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe
"C:\Users\Admin\AppData\Local\Temp\141c10cd5285c3615dccbad7a6a9f74decf811e19ac69e669d00b96a2f26241c.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini.tmp

Filesize
65KB

MD5
3004f3104be702018b3d61c35d75d3ba

SHA1
354ff404534961c3a9d91f08a13cae623221da1f

SHA256
d1074f8c3c46bd9d0a6e75779be7fa4df8c799d4c20ed6c97efe88d2aec7aac8

SHA512
ef1951060d4266651c300cf960445fbe9de716e5ad1a8777353299f615ce2dc21e10a30c6f5c8001924b1d735112920b1ecdb5c46140644c881e1dd3fc37aca9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
74KB

MD5
106b8c5d23aa0ff49a75f91f4d2c302b

SHA1
80792106f5f49fe5b8f540751c29e545a2e716f9

SHA256
a736b94f672e518968bd7ff1f821231027477891d1fdcd399a82db5b469a0d1b

SHA512
bd8e8156721b4b3a9e1f3adf799e4e11ea2e757fccb76b82e8ef3d59c727bf1d841ca8fc34a5ecdf8633dc1413062ce8c21d6e17cae9af10e056ffa41d88c5e8

Download Submit