1ca874f0f1b6a451777e342b1376e64d84e2a6f794ce6a7401f05b52db57c067

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1908e6a381f4cb24aead7ab8f76567e0N.exe
Size

35KB
MD5

1908e6a381f4cb24aead7ab8f76567e0
SHA1

0e0f2399cb56797c04ec5fe281c6d605b7883a64
SHA256

1ca874f0f1b6a451777e342b1376e64d84e2a6f794ce6a7401f05b52db57c067
SHA512

1ba3cb4664ddb6bf72404838a1d67349a51c93bc06f22de890208eb449e7af163da117d7d6694e494a8773c84b6ea53670d146cfc4e5ac54c490cb661ed99d96
SSDEEP

384:GBt7Br5xjLfAgA71FbhvtPci1lnYOzlnYO5+vu+vn:W7BlpDpARFbhzbYONYOktP

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3249) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\deploy\messages_it.properties.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libdca_plugin.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Bahia.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Apia.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Metlakatla.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\bin\management.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsFormsIntegration.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHEVI.DLL.tmp	1908e6a381f4cb24aead7ab8f76567e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1908e6a381f4cb24aead7ab8f76567e0N.exe

C:\Users\Admin\AppData\Local\Temp\1908e6a381f4cb24aead7ab8f76567e0N.exe
"C:\Users\Admin\AppData\Local\Temp\1908e6a381f4cb24aead7ab8f76567e0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

Filesize
35KB

MD5
3d8103f0794097cb2c7af37aa8a736b1

SHA1
d57ed6279afbcc05a713566d1182d53216a9653f

SHA256
e2a1f54762767460c37b8d79fc910cfec6b845a36ed72f058cd41e2edcfd6b58

SHA512
15d82f277c6e2b3ffa62ee8164517d51d63b1d00c0948b9f1e325f0996142f918d978d883c61cf1d614cf8ab4389c7b3bad41e1f07b7620e59ac4e41bba5c046

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
44KB

MD5
fdafff4d849bbbdc07bf7f0770464714

SHA1
bb8a017d1fb7d3ad112ff5654068b8ac251a9c9f

SHA256
9a2e4373de177d00b1de255adf0d7a7ef772165dcb47935684e29e61c403ba73

SHA512
2af874c62af888873eb764b422cd2372736327a92804fb650a94cf44d6db1a4e107cdc6d54dde08ed000b7c0ef3fe34336a48628f68f0192d7b5b8fa44f911a4

Download Submit