b64255f2032d2a5ee50cb1b280094b058554dc1e3a7d66ac1804d2f54d3c2b3d

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4973978199dd0533f64437563b2558c0N.exe
Size

49KB
MD5

4973978199dd0533f64437563b2558c0
SHA1

0117c7f6185e31640e29139d742defee63e54656
SHA256

b64255f2032d2a5ee50cb1b280094b058554dc1e3a7d66ac1804d2f54d3c2b3d
SHA512

d0c0fba1296d3441674afd953a2863af22001feb688131f4d890c825936265f64163bb20cca9479f5ced97e0ecda531fee4641e1dde0ca0491cbd227ef2e52e4
SSDEEP

768:W7BlpppARFbhjbhg42LcfpR42LcfproFNFcdyGdyQ:W7ZppApBULcfpHLcfpyDcdyGdyQ

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (3256) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Design.Resources.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Maldives.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jre7\bin\dcpr.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jre7\lib\ext\localedata.jar.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.tmp	4973978199dd0533f64437563b2558c0N.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp	4973978199dd0533f64437563b2558c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4973978199dd0533f64437563b2558c0N.exe

C:\Users\Admin\AppData\Local\Temp\4973978199dd0533f64437563b2558c0N.exe
"C:\Users\Admin\AppData\Local\Temp\4973978199dd0533f64437563b2558c0N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2257386474-3982792636-3902186748-1000\desktop.ini.tmp

Filesize
49KB

MD5
4d5198cd3c40c33d2654410d7e1ebaaf

SHA1
d661230659c2cf2c6ab9a76c97a3091fe9fe1a6d

SHA256
d5148fef8abfc65be671fb8a3a611e0f488a99fe3ccb30ed77895983075215f3

SHA512
a68bf5eca6dc437c2cc82204665679e296a3de0521e66dbe4f34c7855fa1c3890fbf77264ae4eb8d4516318eb2508ab6eb2f6db877c03adf490d1582f74f703f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
58KB

MD5
45ab3422877ff5d340769369e8a7e8c2

SHA1
7e657531946fdb3d07102e7a180b9281fed9f98e

SHA256
eb53ac6dc45e2bfcecf64132800ae0ddeb0ed5f1ff9127993a7545b0ff8f2497

SHA512
e8b5475590485e01c49f8d2e6196afb6f67fe380b2ba92561a2830e9f076b40ce7f7b0d897b67b04b6243b4a6140506b6160463dd84212d032873242f215f878

Download Submit